Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 19:11

General

  • Target

    13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe

  • Size

    1.2MB

  • MD5

    13479ce2adfeb68235431878761f2bd0

  • SHA1

    becd3db1ddb9494d64b2f8f28ca9dcfea5afdbb2

  • SHA256

    56eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7

  • SHA512

    597d1bb3e5f090bd098bcf52ba37e132175e6c29161ba1e8398875c8de230ceb3efe47f88f435b639a8ec73fd3d0a559df072b0bf4b0b9e934540f58f9615785

  • SSDEEP

    24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 54 IoCs
  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 17 IoCs
  • Checks whether UAC is enabled 1 TTPs 36 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2100
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:596
        • C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:588
          • C:\Windows\Media\smss.exe
            "C:\Windows\Media\smss.exe"
            4⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1904
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43cefd7b-6e88-4ac7-a602-05260fe31e9e.vbs"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1028
              • C:\Windows\Media\smss.exe
                C:\Windows\Media\smss.exe
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2384
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfb2d52e-83a8-4a99-90ae-3720c660371e.vbs"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1664
                  • C:\Windows\Media\smss.exe
                    C:\Windows\Media\smss.exe
                    8⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:2484
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799bc677-0fac-4adc-9a92-b960b97de8dc.vbs"
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2700
                      • C:\Windows\Media\smss.exe
                        C:\Windows\Media\smss.exe
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:1912
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b16c6f76-e247-408c-a894-f4d349f6c600.vbs"
                          11⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1388
                          • C:\Windows\Media\smss.exe
                            C:\Windows\Media\smss.exe
                            12⤵
                            • UAC bypass
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            • System policy modification
                            PID:1836
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8024b097-5de2-4f1e-81a2-02127186665c.vbs"
                              13⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2856
                              • C:\Windows\Media\smss.exe
                                C:\Windows\Media\smss.exe
                                14⤵
                                • UAC bypass
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                • System policy modification
                                PID:352
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bf7f696-be4a-41cd-8316-3a7beac2b137.vbs"
                                  15⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1592
                                  • C:\Windows\Media\smss.exe
                                    C:\Windows\Media\smss.exe
                                    16⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2716
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d58aebe2-93f5-4c12-a45a-c34d83e36b35.vbs"
                                      17⤵
                                        PID:1992
                                        • C:\Windows\Media\smss.exe
                                          C:\Windows\Media\smss.exe
                                          18⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2960
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1c60ae0-028d-4130-8c4b-9ca5aa13e98e.vbs"
                                            19⤵
                                              PID:3036
                                              • C:\Windows\Media\smss.exe
                                                C:\Windows\Media\smss.exe
                                                20⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:2284
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a1963a4-c2b1-4584-a121-b3aea982b305.vbs"
                                                  21⤵
                                                    PID:2636
                                                    • C:\Windows\Media\smss.exe
                                                      C:\Windows\Media\smss.exe
                                                      22⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:2376
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc820fc2-6db9-4643-a898-85e0e30b4760.vbs"
                                                        23⤵
                                                          PID:3000
                                                          • C:\Windows\Media\smss.exe
                                                            C:\Windows\Media\smss.exe
                                                            24⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:2052
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69ccb2bd-6a36-4291-9c39-8300aab3e561.vbs"
                                                              25⤵
                                                                PID:2296
                                                                • C:\Windows\Media\smss.exe
                                                                  C:\Windows\Media\smss.exe
                                                                  26⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:276
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0116909-81f8-4b54-aa90-d0fa89f4b2c6.vbs"
                                                                    27⤵
                                                                      PID:1236
                                                                      • C:\Windows\Media\smss.exe
                                                                        C:\Windows\Media\smss.exe
                                                                        28⤵
                                                                        • UAC bypass
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:1292
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d68313b8-2f7b-4032-b6d7-24b38b9ca200.vbs"
                                                                          29⤵
                                                                            PID:2248
                                                                            • C:\Windows\Media\smss.exe
                                                                              C:\Windows\Media\smss.exe
                                                                              30⤵
                                                                              • UAC bypass
                                                                              • Executes dropped EXE
                                                                              • Checks whether UAC is enabled
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • System policy modification
                                                                              PID:2580
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76086249-f61b-437a-ab99-d44f99ded0fe.vbs"
                                                                                31⤵
                                                                                  PID:1156
                                                                                  • C:\Windows\Media\smss.exe
                                                                                    C:\Windows\Media\smss.exe
                                                                                    32⤵
                                                                                    • UAC bypass
                                                                                    • Executes dropped EXE
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • System policy modification
                                                                                    PID:904
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18065e9e-5672-4baf-9203-613b4a3ca4ec.vbs"
                                                                                      33⤵
                                                                                        PID:1340
                                                                                        • C:\Windows\Media\smss.exe
                                                                                          C:\Windows\Media\smss.exe
                                                                                          34⤵
                                                                                          • UAC bypass
                                                                                          • Executes dropped EXE
                                                                                          • Checks whether UAC is enabled
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • System policy modification
                                                                                          PID:2996
                                                                                          • C:\Windows\System32\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4c1917f-2bc8-4156-afc7-f20335cb0c46.vbs"
                                                                                            35⤵
                                                                                              PID:2300
                                                                                            • C:\Windows\System32\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9bdf99a-148f-44ec-8b0e-ab32b6cada7a.vbs"
                                                                                              35⤵
                                                                                                PID:1612
                                                                                          • C:\Windows\System32\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\448d9363-eb90-4697-9078-15357ad4961f.vbs"
                                                                                            33⤵
                                                                                              PID:1996
                                                                                        • C:\Windows\System32\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d31a3bb-589a-41ea-bac3-3b70fd68e076.vbs"
                                                                                          31⤵
                                                                                            PID:2172
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fab14468-cb79-4657-958e-2b213e050e44.vbs"
                                                                                        29⤵
                                                                                          PID:636
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4215c45a-6261-4fc5-9a86-511274a6d2b1.vbs"
                                                                                      27⤵
                                                                                        PID:2348
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34488273-3c6d-47e8-a5ab-cda0869006c3.vbs"
                                                                                    25⤵
                                                                                      PID:1476
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\756a9aec-a8bd-4042-89ac-5c3c97468ae0.vbs"
                                                                                  23⤵
                                                                                    PID:2096
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb973434-3a47-4c2f-bab7-3804df8bda04.vbs"
                                                                                21⤵
                                                                                  PID:1280
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ec94f4a-0403-49fd-bf46-bf3de111a583.vbs"
                                                                              19⤵
                                                                                PID:2024
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f6a4a44-4897-42d9-b70e-8c529744a298.vbs"
                                                                            17⤵
                                                                              PID:2804
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9df7be74-3352-4acd-9e66-c747da92421b.vbs"
                                                                          15⤵
                                                                            PID:1944
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e69c453-372a-4c20-99a4-937191e4011f.vbs"
                                                                        13⤵
                                                                          PID:2640
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21a95b86-bd4e-4ab3-8ff7-c3b64f854518.vbs"
                                                                      11⤵
                                                                        PID:2536
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78ccda46-eaea-4073-926a-03ba0b8aa35e.vbs"
                                                                    9⤵
                                                                      PID:2964
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d2e30a7-2ef5-4ad7-9712-62f730e12777.vbs"
                                                                  7⤵
                                                                    PID:2612
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92a0191-12ee-4c70-8bf4-60d3f5aaa806.vbs"
                                                                5⤵
                                                                  PID:952
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1152
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:2844
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2532
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2632
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2760
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2492
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2204
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3008
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2668
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1220
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2776
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2824
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2928
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2536
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2348
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2412
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2472
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2208
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2028
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1608
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1256
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1672
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1156
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2132
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2196
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1336
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:1968
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1972
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1936
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1948
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:760
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:704
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2576
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2104
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1804
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1492
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:1992
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2176
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2088
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:3024
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1316
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2008
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3068
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2700
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2732
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\smss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2684
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\smss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2544
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\smss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2540
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\lsass.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2512
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Documents\lsass.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2656
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\lsass.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2804
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3036
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2308
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:564
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2668
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1976
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2528
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1676
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:2204
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2924
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2016
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2044
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:2160
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1908
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Creates scheduled task(s)
                                                          PID:2348
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Creates scheduled task(s)
                                                          PID:2472
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe'" /f
                                                          1⤵
                                                          • Creates scheduled task(s)
                                                          PID:2704
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Creates scheduled task(s)
                                                          PID:316
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                            PID:1056
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\lsm.exe'" /f
                                                            1⤵
                                                            • Creates scheduled task(s)
                                                            PID:1744
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Creates scheduled task(s)
                                                            PID:1652
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Creates scheduled task(s)
                                                            PID:1752

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Program Files\7-Zip\Lang\csrss.exe

                                                            Filesize

                                                            1.2MB

                                                            MD5

                                                            8dd1faa68cde0e812a381903d33692de

                                                            SHA1

                                                            a55eb88a7b454a1e2b45ca797a0715d946d0f426

                                                            SHA256

                                                            58b96de5d5d00d208062c0813530aaf43515356c028a2b34fc54a173161398e5

                                                            SHA512

                                                            5de46c2a0f23bd255ee90fc50ebf1a5643b1b7e3fa09a05d2d408b0a95f8eeebaa3027ea2169e53043c20fae7971f1331b1d969a853b5a413708bb69eabf7ad4

                                                          • C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cc11b995f2a76d

                                                            MD5

                                                            d41d8cd98f00b204e9800998ecf8427e

                                                            SHA1

                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                            SHA256

                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                            SHA512

                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                          • C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe

                                                            Filesize

                                                            1.2MB

                                                            MD5

                                                            13479ce2adfeb68235431878761f2bd0

                                                            SHA1

                                                            becd3db1ddb9494d64b2f8f28ca9dcfea5afdbb2

                                                            SHA256

                                                            56eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7

                                                            SHA512

                                                            597d1bb3e5f090bd098bcf52ba37e132175e6c29161ba1e8398875c8de230ceb3efe47f88f435b639a8ec73fd3d0a559df072b0bf4b0b9e934540f58f9615785

                                                          • C:\Users\Admin\AppData\Local\Temp\18065e9e-5672-4baf-9203-613b4a3ca4ec.vbs

                                                            Filesize

                                                            700B

                                                            MD5

                                                            27837288ba3b4f35fbf253f84ae684d4

                                                            SHA1

                                                            4aaa0515c7f5ddb817c99f1c7a40ca5b989d7ca3

                                                            SHA256

                                                            c72ec4057c8169ced3060e2033074c96755601b6eeba4f301b22fbf6fc6f109c

                                                            SHA512

                                                            2e99b7bf90f5e88ce70c1b0a790097622ab22ae4c2dea3d3fd019ef8322e608ac8477b6931c21ff4926d23792e60a4a8460357b85816415d1f4c6be5218e82b4

                                                          • C:\Users\Admin\AppData\Local\Temp\43cefd7b-6e88-4ac7-a602-05260fe31e9e.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            a2690f7c29639a2bda303bf3681a942b

                                                            SHA1

                                                            d66814cab43023047dcc60bc1b2d65fe6f1bf04a

                                                            SHA256

                                                            2ab971890dc461581eab64568eeb84e1f2eb9d85e3f2b726c5feb10b470e378a

                                                            SHA512

                                                            d8716f4e06227a8ec8cc9588210aafb7f9126f10fdbe6f7cba99772c2744dbba65a0f8b01d9b282247eb7a628948371f6f50abad83560d3aa3d832a1e38199a7

                                                          • C:\Users\Admin\AppData\Local\Temp\59a07570a8a8386aa1a299e6ab573f686e7e81544.5.321e942f7529053d3bf5a939edfacdca5e36682859

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            3a225a063946b08a53a0c15d78ccc3d2

                                                            SHA1

                                                            98a4f4a89f08156c7ec875e37c10e7aaf023e0d7

                                                            SHA256

                                                            11995a323ae3bda3575b2271b2774dd1ae84fd241b285ff49566b510b088216e

                                                            SHA512

                                                            9a136356979f16598f5cffd1a17e7304c38d3caccf89d1690af5b5cced0527436377642abdf6c042976f0ffd804ad22001fbd4336bb38e5b7089fa1e5c26595b

                                                          • C:\Users\Admin\AppData\Local\Temp\69ccb2bd-6a36-4291-9c39-8300aab3e561.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            4455118f17744376a1e4d0f34689858d

                                                            SHA1

                                                            22e671d6a717de0328fea0d6ea3b9ef8d10a1d42

                                                            SHA256

                                                            2bc3facc661f41d8302b2af886fbf3adedf0bd56d69400c6cc3c69f759694705

                                                            SHA512

                                                            a9cf9de629f6b15902c5dc11e0a64940762cdd79d0048169e1892f3c71dbb45d0a3602f2fa2d9fa5399d1977caeafaee72bc625c2dd650d2570aa1d791bdd21b

                                                          • C:\Users\Admin\AppData\Local\Temp\76086249-f61b-437a-ab99-d44f99ded0fe.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            e472e20165a4bb94474d7ffe5487c4a3

                                                            SHA1

                                                            3b73d0d95dc54588b97d7b682cf5ac499c4cabab

                                                            SHA256

                                                            1c69bd873068096a545aa8d46da52ac43db88c2684403eba35dc59467825ab31

                                                            SHA512

                                                            c99ad189f47c2a91961a9c48bc10718fe6069e33b405aea84991f3d644a49271fdb9df1755e0ec0fa8963bc3b07abcbde1b45682f7062684891aafe0d47666e7

                                                          • C:\Users\Admin\AppData\Local\Temp\799bc677-0fac-4adc-9a92-b960b97de8dc.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            fa44ca3284f2e1eddff392a8f0c8fcd8

                                                            SHA1

                                                            a8b36d50ca97bdb2d48c67f9284e4d9eae008762

                                                            SHA256

                                                            ef05c1f56837f6e770325f03505e799a6e219d7a606624c1ee72598b8518a6b3

                                                            SHA512

                                                            b6f9252a6d850662a1be0b171a7968432ab840cbd84bcce4a0ffdafe9c5a2ae09a8dcd6de1628395ba13c293785dc4a9a39b6d6b4fc858b91e1ccfc42798a866

                                                          • C:\Users\Admin\AppData\Local\Temp\7bf7f696-be4a-41cd-8316-3a7beac2b137.vbs

                                                            Filesize

                                                            700B

                                                            MD5

                                                            8415707aa1ad109d89da3b4250e35059

                                                            SHA1

                                                            e8f6108c86b7ab588418f89e369ac9c786208406

                                                            SHA256

                                                            4f2cc22adb5abf148737a45f07dfcf648fef2a446d6c0723d139f489fb5d542d

                                                            SHA512

                                                            04d4a0592619f4b7afa1311e2b7c981950768aaf2af6afa09c99b48fea190decb7e8b8371f61ba1358e73aa6b7315296828e64483942a64e9dee342ed600117a

                                                          • C:\Users\Admin\AppData\Local\Temp\8024b097-5de2-4f1e-81a2-02127186665c.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            857ab19c11ed26bd453da5000ffdfdeb

                                                            SHA1

                                                            9cac53a060548d0278e0c98a11fcc51f93dc1310

                                                            SHA256

                                                            58dd27e344c10fc77eee19524da4551b48d070e8e3cc4b580258937f1b3b1df3

                                                            SHA512

                                                            121bb37cd28269668a9d98395031c3f02557fa89a31a25047e2706462755728364d82daca7b46360411947b5d0b93f6f9d1281da1c512f6e5a77f32bcd7eefb8

                                                          • C:\Users\Admin\AppData\Local\Temp\9a1963a4-c2b1-4584-a121-b3aea982b305.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            c2ccdd86f92764f5df76181681eb42db

                                                            SHA1

                                                            0ebe5e0ec018265ac783b5183f94d23394ad141d

                                                            SHA256

                                                            4b05d71254db504055668ea7658249a66f83c3e14e98ffbfac2998b3bab4d514

                                                            SHA512

                                                            debc77b40ca5bfd877b9987e710afc0764b099663382ccc5e3cd40ed0437f2fe958592b7741a1f1a056baafe234ebe1a9e380a2ee33e99beca9e3f54b291f0f4

                                                          • C:\Users\Admin\AppData\Local\Temp\b16c6f76-e247-408c-a894-f4d349f6c600.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            72af41a91497c7bb36072492c9c83be0

                                                            SHA1

                                                            62469c691670a430b9b9471216eb81e238030cf4

                                                            SHA256

                                                            6322c98ede3a41f07b40f01b3fbfbaa4621291314d719c3e4a5b969b6f636770

                                                            SHA512

                                                            cdf96eaad60dae2d4f481e3ed9c5c3e2d23017534b0e2bbd22b0d9364e5677688d5c9e2cdbce22e9d64c4e32cf78969666325a97bba96ff956eb2a8d1ed1034e

                                                          • C:\Users\Admin\AppData\Local\Temp\d58aebe2-93f5-4c12-a45a-c34d83e36b35.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            d7c42b5f49df229b3b19366bf7b56390

                                                            SHA1

                                                            cb6095be7c504a130aed7ddd8337599a9086d2c2

                                                            SHA256

                                                            f1d1e0790bff9093c87eaba982eed77f0e8cb36085414c6fd0408c23ddde8f01

                                                            SHA512

                                                            7e1e9a48a2c295f9e783509ec9f68bd39ee16ed5eda4bb588d91ed1bad77b711081391fb2ed57f2c7aeb0c6c35460c86c3f5ec2073968bddd93569dfa56ceaf8

                                                          • C:\Users\Admin\AppData\Local\Temp\d68313b8-2f7b-4032-b6d7-24b38b9ca200.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            649435c2b51bcd3011e67affcc457772

                                                            SHA1

                                                            ef4733d85116975b0ca6e0f847fc91078ed0b27b

                                                            SHA256

                                                            a6e8d26b29cd97eb20ea6ea93a1c2110f95778398c532aba04ed327e4ac7c070

                                                            SHA512

                                                            1098454ac1800cfd0496568d3d15d729274e8c713146be708280ddf7358ddbe825b54fc3a5d52f4f2971b9532d66229f0d6a979e58256e21b689748b3e59dd96

                                                          • C:\Users\Admin\AppData\Local\Temp\debd640cb03d667c44d4623e5aca94fa2dcf0604.exe

                                                            Filesize

                                                            1.2MB

                                                            MD5

                                                            6bb133ad7863bf2b0919d49cfc84fb53

                                                            SHA1

                                                            6c6d8e7d38baa8eef16db3c50b592d51aac0f48e

                                                            SHA256

                                                            368a3045eeeb3899c8456e25e5404ce4d621b6b7dc5a0f3867d0cf3f451bc01b

                                                            SHA512

                                                            c862c4194a00ad411e6494720288dadc5fee13215d52ec2eabdc8a861dbcdc2f5c695e92c42291830f322fb377cb82f326d73abca57e79f898c9c2ddd80e1a44

                                                          • C:\Users\Admin\AppData\Local\Temp\dfb2d52e-83a8-4a99-90ae-3720c660371e.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            996eb8a3a408aadfefb9c140e9cd6a3a

                                                            SHA1

                                                            45d36af5214a45a776b97265ebb49beac10e9d42

                                                            SHA256

                                                            b6e1c06885966cfc3caeb293510322f88a57664adb90e2f1a7f555f040fc5235

                                                            SHA512

                                                            ade410c168f6cf51b7a3bfa92b62d08fa030afd6c2b10300d9fbdaf4b84e82342700c978502de332f481b8219eb986452e2d98f0a48425a7e107aad7c4984396

                                                          • C:\Users\Admin\AppData\Local\Temp\e0116909-81f8-4b54-aa90-d0fa89f4b2c6.vbs

                                                            Filesize

                                                            700B

                                                            MD5

                                                            d90cde2b33be1187fea97f338e775f25

                                                            SHA1

                                                            9ae8fd319747c8a50b28761c0508f46d2319b877

                                                            SHA256

                                                            46a01a6f4d73966f6e02a3d1d2aac26039dc641042187da4528ac0e95f35daeb

                                                            SHA512

                                                            8099d8e08cae6afd0eaaa2295b74db89932305fd6f3dc159bac04ef668f36ec83ff36b43d2f6758dfac65a58cdf6fba20bd979194e566bd58026df4309f75e71

                                                          • C:\Users\Admin\AppData\Local\Temp\e1c60ae0-028d-4130-8c4b-9ca5aa13e98e.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            2535cb689859ca944a58fd28c96f4309

                                                            SHA1

                                                            d2d58a068153cba478e5e411d2b10106cbcfd1bf

                                                            SHA256

                                                            fd05728726ad5290d4ec9b8a54a8932cb2cc684224a7373f216cc48d3e2a3f00

                                                            SHA512

                                                            152e6062e80174efbb74f17c9fb51bbcfc451e2e1da749a4296058c73ab143450435d925ca400ae185203594a84ff2f5cea316ce3108801d8b7c87860a435695

                                                          • C:\Users\Admin\AppData\Local\Temp\f92a0191-12ee-4c70-8bf4-60d3f5aaa806.vbs

                                                            Filesize

                                                            477B

                                                            MD5

                                                            f44c443d810b0da5a22810d0175aa1ff

                                                            SHA1

                                                            fcd7ca2134af6b35967a3f5046b43ee1edaa1081

                                                            SHA256

                                                            132ff8e336af741e7422b3cf75ca578439dff7c2eccc0de2f05caec2d6a23808

                                                            SHA512

                                                            21662ebecbb48afe23f3ee8c34bec7882f9fcc25b3e1e655db7d0b81edcb0b403f9f370f1f91fb8fb6ca3c728d116a747c545c26e50ccb0c2b5cc61830e17222

                                                          • C:\Users\Admin\AppData\Local\Temp\fc820fc2-6db9-4643-a898-85e0e30b4760.vbs

                                                            Filesize

                                                            701B

                                                            MD5

                                                            8e2504782887ef9dd5bb62e0ca61d58f

                                                            SHA1

                                                            37b774258fe9ea7e475b08aaa9d97ba39515d2b7

                                                            SHA256

                                                            612280850f4a85184ca56964ec22b0d148d7f79ac176abe773db0a170cd226b7

                                                            SHA512

                                                            99949402afbf04c80d1bba81bbbd22f0236dbbfc246349e83e146f16db830acd1901d6d386a251b9f03905cfeb69f00f96a66d3090f5a9c9e2664ec083be1899

                                                          • C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat

                                                            Filesize

                                                            250B

                                                            MD5

                                                            ca066d088e7acdb7fd91543fc3b66876

                                                            SHA1

                                                            ec64ab9730367bba1b2ee9fcfca9dfd0c03497f5

                                                            SHA256

                                                            1c4ef7d8579da91465f9b3224eff3e3d31b0c39e77d759002036a73feba9171a

                                                            SHA512

                                                            dbf5a83a9b26d1c2e5de151841b2907e488a08715b48f19190f14bcff6657ee1c57147cae5b99facf32f1fa7c14ba90419c3036f77b0b051e518b2937c2d8b8d

                                                          • memory/352-227-0x0000000000EC0000-0x0000000000FFA000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                          • memory/588-91-0x0000000001340000-0x000000000147A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                          • memory/1836-215-0x00000000000B0000-0x00000000001EA000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                          • memory/1904-170-0x0000000000200000-0x000000000033A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                          • memory/2100-9-0x0000000000760000-0x000000000076C000-memory.dmp

                                                            Filesize

                                                            48KB

                                                          • memory/2100-5-0x00000000005A0000-0x00000000005B0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/2100-12-0x0000000000790000-0x000000000079C000-memory.dmp

                                                            Filesize

                                                            48KB

                                                          • memory/2100-11-0x0000000000780000-0x0000000000788000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/2100-13-0x00000000007A0000-0x00000000007AC000-memory.dmp

                                                            Filesize

                                                            48KB

                                                          • memory/2100-1-0x00000000001F0000-0x000000000032A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                          • memory/2100-20-0x0000000002140000-0x000000000214C000-memory.dmp

                                                            Filesize

                                                            48KB

                                                          • memory/2100-19-0x0000000002130000-0x000000000213A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                          • memory/2100-8-0x0000000000750000-0x000000000075A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                          • memory/2100-7-0x0000000000740000-0x0000000000748000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/2100-89-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

                                                            Filesize

                                                            9.9MB

                                                          • memory/2100-6-0x0000000000720000-0x0000000000736000-memory.dmp

                                                            Filesize

                                                            88KB

                                                          • memory/2100-14-0x00000000007B0000-0x00000000007B8000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/2100-10-0x0000000000770000-0x000000000077C000-memory.dmp

                                                            Filesize

                                                            48KB

                                                          • memory/2100-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

                                                            Filesize

                                                            4KB

                                                          • memory/2100-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

                                                            Filesize

                                                            9.9MB

                                                          • memory/2100-18-0x00000000007F0000-0x00000000007F8000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/2100-15-0x00000000007C0000-0x00000000007CA000-memory.dmp

                                                            Filesize

                                                            40KB

                                                          • memory/2100-4-0x0000000000590000-0x0000000000598000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/2100-17-0x00000000007E0000-0x00000000007EC000-memory.dmp

                                                            Filesize

                                                            48KB

                                                          • memory/2100-3-0x00000000001D0000-0x00000000001EC000-memory.dmp

                                                            Filesize

                                                            112KB

                                                          • memory/2100-16-0x00000000007D0000-0x00000000007DE000-memory.dmp

                                                            Filesize

                                                            56KB

                                                          • memory/2284-262-0x0000000001060000-0x000000000119A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                          • memory/2384-181-0x0000000001070000-0x00000000011AA000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                          • memory/2580-318-0x00000000013D0000-0x000000000150A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                          • memory/2960-250-0x0000000000F90000-0x00000000010CA000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                          • memory/2996-339-0x00000000000F0000-0x000000000022A000-memory.dmp

                                                            Filesize

                                                            1.2MB