Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 04:00

General

  • Target

    77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    77177c57df58a82f289add0cf57ea320

  • SHA1

    38c0414cb96be176cdf3b965b870bdf5de04f4a4

  • SHA256

    6f250581eae818938c64c4afa3446c7c36dfadda1d8b8ba20870ad0e05c7fe50

  • SHA512

    67161531bc39774e219b77de3166c3216ff962ca81af0982a44a502bd25d333aa742f8fca8e5720d91b4e69ddd6c829a0e014b94f7af89d1ceb601691dd2c9b6

  • SSDEEP

    49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 51 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Checks whether UAC is enabled 1 TTPs 34 IoCs
  • Drops file in Program Files directory 42 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4284
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4896
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AHjKJtDsqF.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1996
        • C:\Users\Admin\AppData\Local\Temp\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:5000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4208
          • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
            "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
            4⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1828
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3ed7e3e-a4e2-40af-8049-83337d7c8668.vbs"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4748
              • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2456
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd81e433-a47e-4909-bcd6-be63ea329b3a.vbs"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3416
                  • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                    "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                    8⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:1316
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e940332e-2a5e-4688-9aee-017368a7e9a1.vbs"
                      9⤵
                        PID:2864
                        • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                          "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                          10⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:3012
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9667e039-cbb8-434f-826d-a71e49bee52c.vbs"
                            11⤵
                              PID:4356
                              • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                12⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:3596
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04c159b3-0128-4873-9dcf-065314d47d43.vbs"
                                  13⤵
                                    PID:644
                                    • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                      "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                      14⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:4804
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01411473-7746-4bce-8350-85d41f9af26e.vbs"
                                        15⤵
                                          PID:3960
                                          • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                            "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                            16⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:2496
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3698677-11cf-42bb-9c15-a6c646eeda58.vbs"
                                              17⤵
                                                PID:2132
                                                • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                                  "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                                  18⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:4556
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10e234ee-da72-48b5-870e-2d445fb948e5.vbs"
                                                    19⤵
                                                      PID:3276
                                                      • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                                        "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                                        20⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:1256
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47fdc7c8-15cb-4f24-9069-2d2fbc37c0b6.vbs"
                                                          21⤵
                                                            PID:2664
                                                            • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                                              "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                                              22⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:4240
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8998c9f2-2e66-4878-a9b8-bfe8a34ced80.vbs"
                                                                23⤵
                                                                  PID:3920
                                                                  • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                                                    "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                                                    24⤵
                                                                    • UAC bypass
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Modifies registry class
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:2204
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fabace9-2acc-45a3-983e-1c0c0f6d4dbf.vbs"
                                                                      25⤵
                                                                        PID:4156
                                                                        • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                                                          "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                                                          26⤵
                                                                          • UAC bypass
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Modifies registry class
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • System policy modification
                                                                          PID:3492
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff2ff6d0-195c-4f7e-bca5-707bedf28894.vbs"
                                                                            27⤵
                                                                              PID:1080
                                                                              • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                                                                "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                                                                28⤵
                                                                                • UAC bypass
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Checks whether UAC is enabled
                                                                                • Modifies registry class
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                • System policy modification
                                                                                PID:5092
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2115e1f2-5b2a-4e29-adf5-4d6e7a247c21.vbs"
                                                                                  29⤵
                                                                                    PID:3548
                                                                                    • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                                                                      "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                                                                      30⤵
                                                                                      • UAC bypass
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Checks whether UAC is enabled
                                                                                      • Modifies registry class
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • System policy modification
                                                                                      PID:4880
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b81c8b17-f9ae-4b20-a800-daa36b9c1891.vbs"
                                                                                        31⤵
                                                                                          PID:4992
                                                                                          • C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe
                                                                                            "C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"
                                                                                            32⤵
                                                                                            • UAC bypass
                                                                                            • Executes dropped EXE
                                                                                            • Checks whether UAC is enabled
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • System policy modification
                                                                                            PID:4732
                                                                                        • C:\Windows\System32\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db724201-69a9-483a-a361-6488e385196f.vbs"
                                                                                          31⤵
                                                                                            PID:2016
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd54648e-f4ec-40c4-9dd3-a4f9a3213155.vbs"
                                                                                        29⤵
                                                                                          PID:3960
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b24d26-e77e-4605-af58-0702e58285a4.vbs"
                                                                                      27⤵
                                                                                        PID:1936
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25622c67-6ef2-4629-9637-181bbdd4792d.vbs"
                                                                                    25⤵
                                                                                      PID:1308
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f6d21dc-1859-4b91-9ca9-a619717ddbb4.vbs"
                                                                                  23⤵
                                                                                    PID:4432
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9b50678-a1fe-4551-af9c-18321f1e0aac.vbs"
                                                                                21⤵
                                                                                  PID:4804
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28a1bc58-0e51-4176-8bc6-cc61ec4e269e.vbs"
                                                                              19⤵
                                                                                PID:1512
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92a70fe-0ecf-4669-a5cd-410ba3fc73c1.vbs"
                                                                            17⤵
                                                                              PID:752
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d1883a5-f382-4e19-a820-8706d3ba049d.vbs"
                                                                          15⤵
                                                                            PID:4920
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffd4c9f3-aedc-408b-8676-9ce3efc0f9ab.vbs"
                                                                        13⤵
                                                                          PID:5060
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2c4e358-f249-48c5-9314-eba8010e80c9.vbs"
                                                                      11⤵
                                                                        PID:3256
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\719b75f5-6f24-4a2a-bba5-9fbf6475cdfe.vbs"
                                                                    9⤵
                                                                      PID:1604
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f755d41-99ff-4c86-beab-f70b8602ad6d.vbs"
                                                                  7⤵
                                                                    PID:4964
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28633f8a-a59b-46be-be97-418b7da6e0e6.vbs"
                                                                5⤵
                                                                  PID:3120
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1372
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4996
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3484
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "77177c57df58a82f289add0cf57ea320_NeikiAnalytics7" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3920
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "77177c57df58a82f289add0cf57ea320_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Public\Desktop\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:5016
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "77177c57df58a82f289add0cf57ea320_NeikiAnalytics7" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2932
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4508
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2180
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4212
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1804
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:60
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:3684
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Updates\TextInputHost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4932
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\TextInputHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4416
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Updates\TextInputHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2204
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4840
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4760
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4744
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\dllhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3116
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3632
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4920
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\fontdrvhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:1828
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:1128
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4068
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1396
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4168
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4348
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1836
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:3888
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:632
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3708
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:2484
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2864
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2036
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4280
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2920
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\sihost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3120
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\sihost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4292
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\sihost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1924
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1188
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4256
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4056
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3456
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:692
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:220
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4088
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4748
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1192
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\System.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4684
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4552
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2128
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1036
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4288
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2440
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4968
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:4772
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2480
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2340
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3116
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:1544
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4236
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3612
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4840
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:4348
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                            PID:3548
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Creates scheduled task(s)
                                                            PID:2388
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\sppsvc.exe'" /f
                                                            1⤵
                                                            • Creates scheduled task(s)
                                                            PID:5040
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Templates\sppsvc.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Creates scheduled task(s)
                                                            PID:2436
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\sppsvc.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Creates scheduled task(s)
                                                            PID:4776
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /f
                                                            1⤵
                                                            • Creates scheduled task(s)
                                                            PID:1808
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
                                                            1⤵
                                                              PID:2204
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Creates scheduled task(s)
                                                              PID:4216
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\TrustedInstaller.exe'" /f
                                                              1⤵
                                                                PID:3036
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Admin\TrustedInstaller.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Creates scheduled task(s)
                                                                PID:1316
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\TrustedInstaller.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Creates scheduled task(s)
                                                                PID:3292

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Program Files\Microsoft Office\Updates\TextInputHost.exe

                                                                Filesize

                                                                2.9MB

                                                                MD5

                                                                77177c57df58a82f289add0cf57ea320

                                                                SHA1

                                                                38c0414cb96be176cdf3b965b870bdf5de04f4a4

                                                                SHA256

                                                                6f250581eae818938c64c4afa3446c7c36dfadda1d8b8ba20870ad0e05c7fe50

                                                                SHA512

                                                                67161531bc39774e219b77de3166c3216ff962ca81af0982a44a502bd25d333aa742f8fca8e5720d91b4e69ddd6c829a0e014b94f7af89d1ceb601691dd2c9b6

                                                              • C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\RCX4B58.tmp

                                                                Filesize

                                                                2.9MB

                                                                MD5

                                                                a189778ec06cf1dffb644c634c1e8ce4

                                                                SHA1

                                                                91c7ac070ff86600760ee8fb5f3fa2671504b49f

                                                                SHA256

                                                                27eab1726393c623f47921f16f4655c335e79ce8bff6c3cac00c4d674f99c5bf

                                                                SHA512

                                                                9f0220055b94aa80ea900dd5e0fd10bede870664b7ca8772656cf67a3fcb3a8df69b01b707d8534e37740fafd10afb5447debc068de7dca5174a8577d3d30c55

                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe.log

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                bbb951a34b516b66451218a3ec3b0ae1

                                                                SHA1

                                                                7393835a2476ae655916e0a9687eeaba3ee876e9

                                                                SHA256

                                                                eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

                                                                SHA512

                                                                63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                4a667f150a4d1d02f53a9f24d89d53d1

                                                                SHA1

                                                                306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                                SHA256

                                                                414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                                SHA512

                                                                4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                                SHA1

                                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                SHA256

                                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                SHA512

                                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                2e907f77659a6601fcc408274894da2e

                                                                SHA1

                                                                9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                                SHA256

                                                                385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                                SHA512

                                                                34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                bd5940f08d0be56e65e5f2aaf47c538e

                                                                SHA1

                                                                d7e31b87866e5e383ab5499da64aba50f03e8443

                                                                SHA256

                                                                2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                                SHA512

                                                                c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                cadef9abd087803c630df65264a6c81c

                                                                SHA1

                                                                babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                                SHA256

                                                                cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                                SHA512

                                                                7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                92075279f2dbcaa5724ee5a47e49712f

                                                                SHA1

                                                                8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb

                                                                SHA256

                                                                fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442

                                                                SHA512

                                                                744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                6019bc03fe1dc3367a67c76d08b55399

                                                                SHA1

                                                                3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

                                                                SHA256

                                                                7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

                                                                SHA512

                                                                6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                bf3651a8682259b5e292b98289271f76

                                                                SHA1

                                                                4694a32734c377985dafbd15e26b9a129f1e4a45

                                                                SHA256

                                                                5ffc07abea05b9bb523e511ed75995488a22e3dd54fddc50b62b8336bd57c575

                                                                SHA512

                                                                d9cd369fc710131f0f24c3add83a923625831b1bfb4fba0da83dd71fa41a4ed5a0f0e00755f3cf8ae2aef4aa498c353348c51c167f7d6a2af834f07c78b33896

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                a672fcf7facce635c83caf7b195d0bf8

                                                                SHA1

                                                                fec2f6c2456efe713ba08fa692a4a356f2f37ba8

                                                                SHA256

                                                                71945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c

                                                                SHA512

                                                                12713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                9405862a3b15dc34824f6a0e5f077f4f

                                                                SHA1

                                                                bbe0000e06be94fa61d6e223fb38b1289908723d

                                                                SHA256

                                                                0a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210

                                                                SHA512

                                                                fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                01841b4277227c0578c89131444e7d57

                                                                SHA1

                                                                b00fbb6cabb5d09d50c28c0fdc62e5e6917b0c5d

                                                                SHA256

                                                                34797c2cafe0d94ea265e6aba8e38c3c34532e125bdd6dc8c1eab16a977a8cfa

                                                                SHA512

                                                                15c656ce162ff535506f9f22d285355576e53b89baebc1064523ab59f2eccb111cdd71c1fd66e59995d0727993bd268c976a9bd6cd78ff78d19a3c13436f0497

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                be95052f298019b83e11336567f385fc

                                                                SHA1

                                                                556e6abda268afaeeec5e1ee65adc01660b70534

                                                                SHA256

                                                                ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027

                                                                SHA512

                                                                233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5

                                                              • C:\Users\Admin\AppData\Local\Temp\01411473-7746-4bce-8350-85d41f9af26e.vbs

                                                                Filesize

                                                                737B

                                                                MD5

                                                                1d1c8c623ee93004ad9c895d48b861c7

                                                                SHA1

                                                                1afa2194a34662ebaac8f8ba9a37acb8fa69a707

                                                                SHA256

                                                                4ea7630d649aeaf90e61029c6c8feb59b8b224d4722ded855478f425747961e8

                                                                SHA512

                                                                eb0ba77fc97aa20cbcc7ee05148ee17202a059a4c293778046f0418d7eec9fea4fd2176e0ce7cea6054197cd5f5d6fb1fa10f176c853bd3c4543a5f7f394f9d1

                                                              • C:\Users\Admin\AppData\Local\Temp\04c159b3-0128-4873-9dcf-065314d47d43.vbs

                                                                Filesize

                                                                737B

                                                                MD5

                                                                f1bd92578fa4b27df37cfa29461b06b3

                                                                SHA1

                                                                225453e08decbdeebec9c64d2f5340d8c5449bb4

                                                                SHA256

                                                                c7eac840d3baa326b97e1487d55537cefe0fa4dbfc63df48ab0e666e858c50da

                                                                SHA512

                                                                72a9b4e72f7e0b75c78394d5f2bd83d0e588ef533569444578536cc43049949f02a363ce195ffc9926fc558f5f3c2ce8cfb95c13ee7d0aa31b85b32d74e8a96c

                                                              • C:\Users\Admin\AppData\Local\Temp\10e234ee-da72-48b5-870e-2d445fb948e5.vbs

                                                                Filesize

                                                                737B

                                                                MD5

                                                                ebdd8f417514e8e067a0c14d0599d9a1

                                                                SHA1

                                                                e81fc5137743f88f4602c247ffee1d30aedba621

                                                                SHA256

                                                                09578a72a8a62be958cf485a0d77ba76fcafbfcbcbbbbd0a687ca109447741b1

                                                                SHA512

                                                                60dd7f7c32dd7daf8e6f5cc3aa0612198d94ae1958e77e7acc3f221a022fa0f165313285e004ba26de2c3695d406b3b5bcdc2a1137c86427d52d57b0c2f86034

                                                              • C:\Users\Admin\AppData\Local\Temp\28633f8a-a59b-46be-be97-418b7da6e0e6.vbs

                                                                Filesize

                                                                513B

                                                                MD5

                                                                9b1854d489601758f78ccd3034439b08

                                                                SHA1

                                                                c5c792cb0a03e78581da59443dd13033dd2f1d62

                                                                SHA256

                                                                a623c66c0c23ff850bae83c44270ade92997a5171a4b5e000eb0798bd64d3644

                                                                SHA512

                                                                d9ee21cc04e1f623a23a20e8a63a1ff5f46b7bfe5d6c314f8865433aa7d3b08861d6a8fc9b19cd62c9f8b4ae3771cc0fff271bebb69c5b96431de3dd4620d113

                                                              • C:\Users\Admin\AppData\Local\Temp\47fdc7c8-15cb-4f24-9069-2d2fbc37c0b6.vbs

                                                                Filesize

                                                                737B

                                                                MD5

                                                                832f2fa691f4d7df55c29f211cf5d91d

                                                                SHA1

                                                                c53ec1bc94fb7a78893060051c9615eb567d0518

                                                                SHA256

                                                                684aece4b3fa894ccbcffd1dfb177e88db013e8195b2a2aec42b745f3973d241

                                                                SHA512

                                                                09d40b9797a4d07532450f5bcdeec927dbcdb8bb6f78b7bfb91b7d2cc6c6bfb416676dd24054283f86943b0c0e98c9c1fd382317213af4d1b1c443e8c77e3693

                                                              • C:\Users\Admin\AppData\Local\Temp\9667e039-cbb8-434f-826d-a71e49bee52c.vbs

                                                                Filesize

                                                                737B

                                                                MD5

                                                                12759071f61a3a4930c2556b8c5d4122

                                                                SHA1

                                                                e4308042591f8072de6920a122bd7362adf542a7

                                                                SHA256

                                                                bcecaf6f3226d26777011f53eae46f8eda9b08b952425af679f3635f9613d9c9

                                                                SHA512

                                                                1e4c836887ba10ede32e2afc71c629ce6e16874c1d078a8a3efab23b5c2d9839efc04057a30926a947ac2345737f57faceb01ecac3ac41c8f4d1f05b4e1384ae

                                                              • C:\Users\Admin\AppData\Local\Temp\AHjKJtDsqF.bat

                                                                Filesize

                                                                250B

                                                                MD5

                                                                42cb773f28e7795663ede3a42f4e5ca2

                                                                SHA1

                                                                ef209c82aafd80d0605d72c3e059bd8c4799e59d

                                                                SHA256

                                                                65d62b59b8644b8220f682a4cea3dd0f9305bce73ad59780d13332a1246d777d

                                                                SHA512

                                                                50660c7cc1bd2bd5e8084d3059e766f74bbbb86c501b4c8e5d820e60c5708353050ec4a72165ed9747fa179b384b6570020660347c55535553414ee92d5a8c5f

                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_liscc0xu.tre.ps1

                                                                Filesize

                                                                60B

                                                                MD5

                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                SHA1

                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                SHA256

                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                SHA512

                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                              • C:\Users\Admin\AppData\Local\Temp\b3ed7e3e-a4e2-40af-8049-83337d7c8668.vbs

                                                                Filesize

                                                                737B

                                                                MD5

                                                                99a0a452a921342656f87af3b7accec9

                                                                SHA1

                                                                327affa576da9c23ac7f4e018c8752849e9b9ba4

                                                                SHA256

                                                                8bfbc3d6129711a62d391abaae168e8e539a2267bc04d6ed5f05ff92758d945e

                                                                SHA512

                                                                824acd9c8e396dd67a1c882b78e3004ab09ea81083f987a2dd08b08290a6f67ba4900bc46125d7caa19769527ad99fc1cd95d1d403b2b02062ec41324ba3d2c8

                                                              • C:\Users\Admin\AppData\Local\Temp\c3698677-11cf-42bb-9c15-a6c646eeda58.vbs

                                                                Filesize

                                                                737B

                                                                MD5

                                                                76e816b379183277ece75e4e5708b49b

                                                                SHA1

                                                                54a73e406155387b38df188bb272a9531f49d71d

                                                                SHA256

                                                                e8446694445787f83b045fdfbcb751378cdb901370053186f6fa0ad7c697eeed

                                                                SHA512

                                                                e03c334141c3e475f8d8b44de49bd2e977e2e0efc984d99caefe5787b889fd3beefaa72fa588ef533fdebef73343ebd30467816c3dad771c7ce0ee907762b4df

                                                              • C:\Users\Admin\AppData\Local\Temp\dd81e433-a47e-4909-bcd6-be63ea329b3a.vbs

                                                                Filesize

                                                                737B

                                                                MD5

                                                                843d3156be2c9170aad624e41236a65c

                                                                SHA1

                                                                d3925cfd92987d639c8f1ab311b0e927e5f41072

                                                                SHA256

                                                                8e5e023e3aa3d828583cf15944ad6c005c286c9e095b571f770d5d8673c381ec

                                                                SHA512

                                                                980533eb0ac0ee6bcc579afd11f01e424b1b85e222a02e176b0e6d18af6f0619f937f00c6b7dfe5d3daaf69940bf1ae98b8ae6eedb3080d0c348e03abb086678

                                                              • C:\Users\Admin\AppData\Local\Temp\e940332e-2a5e-4688-9aee-017368a7e9a1.vbs

                                                                Filesize

                                                                737B

                                                                MD5

                                                                51874d23f1762b94d66a02db5b54cd55

                                                                SHA1

                                                                d09c7a5fc2c4d2fb8120f8cdacb5f0fab40053bc

                                                                SHA256

                                                                a1eb4a338f4f6049aac15d266e267de52fb4c8177ab31c90919d89de45964dac

                                                                SHA512

                                                                3d6e59e944066ead08d9fe25259cd4faef06420ff1e40ce263d0f49b805265499b5c95537932082177ca08a5297ca7c9f80b0d033a2aaa6a5886c72fe0799500

                                                              • memory/1192-235-0x0000018DFF010000-0x0000018DFF17A000-memory.dmp

                                                                Filesize

                                                                1.4MB

                                                              • memory/1616-228-0x000001E4F9C00000-0x000001E4F9D6A000-memory.dmp

                                                                Filesize

                                                                1.4MB

                                                              • memory/1944-494-0x000001CC28830000-0x000001CC28A4C000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/2388-251-0x00000211735D0000-0x000002117373A000-memory.dmp

                                                                Filesize

                                                                1.4MB

                                                              • memory/2880-486-0x0000021BF0390000-0x0000021BF05AC000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/2892-257-0x000002BFFCA30000-0x000002BFFCB9A000-memory.dmp

                                                                Filesize

                                                                1.4MB

                                                              • memory/2912-510-0x000001E079FA0000-0x000001E07A1BC000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/2928-495-0x000001C26BE80000-0x000001C26C09C000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/3312-250-0x0000025ED4890000-0x0000025ED49FA000-memory.dmp

                                                                Filesize

                                                                1.4MB

                                                              • memory/3576-504-0x000001F0C42C0000-0x000001F0C44DC000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/3672-21-0x000000001C2E0000-0x000000001C2EE000-memory.dmp

                                                                Filesize

                                                                56KB

                                                              • memory/3672-22-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3672-1-0x0000000000C10000-0x0000000000EF6000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/3672-2-0x00007FF9335B0000-0x00007FF934071000-memory.dmp

                                                                Filesize

                                                                10.8MB

                                                              • memory/3672-3-0x0000000001C10000-0x0000000001C2C000-memory.dmp

                                                                Filesize

                                                                112KB

                                                              • memory/3672-4-0x0000000002130000-0x0000000002180000-memory.dmp

                                                                Filesize

                                                                320KB

                                                              • memory/3672-122-0x00007FF9335B0000-0x00007FF934071000-memory.dmp

                                                                Filesize

                                                                10.8MB

                                                              • memory/3672-25-0x000000001C320000-0x000000001C328000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3672-27-0x000000001C340000-0x000000001C34C000-memory.dmp

                                                                Filesize

                                                                48KB

                                                              • memory/3672-6-0x00000000020E0000-0x00000000020F0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                              • memory/3672-5-0x0000000001C30000-0x0000000001C38000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3672-18-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3672-19-0x000000001C2C0000-0x000000001C2C8000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3672-7-0x00000000020F0000-0x0000000002106000-memory.dmp

                                                                Filesize

                                                                88KB

                                                              • memory/3672-20-0x000000001C2D0000-0x000000001C2DA000-memory.dmp

                                                                Filesize

                                                                40KB

                                                              • memory/3672-8-0x0000000002110000-0x0000000002118000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3672-12-0x000000001BBF0000-0x000000001BC46000-memory.dmp

                                                                Filesize

                                                                344KB

                                                              • memory/3672-26-0x000000001C330000-0x000000001C33A000-memory.dmp

                                                                Filesize

                                                                40KB

                                                              • memory/3672-24-0x000000001C310000-0x000000001C31C000-memory.dmp

                                                                Filesize

                                                                48KB

                                                              • memory/3672-11-0x000000001BBE0000-0x000000001BBEA000-memory.dmp

                                                                Filesize

                                                                40KB

                                                              • memory/3672-0-0x00007FF9335B3000-0x00007FF9335B5000-memory.dmp

                                                                Filesize

                                                                8KB

                                                              • memory/3672-10-0x0000000002120000-0x0000000002130000-memory.dmp

                                                                Filesize

                                                                64KB

                                                              • memory/3672-9-0x0000000002180000-0x0000000002188000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3672-23-0x000000001C300000-0x000000001C30E000-memory.dmp

                                                                Filesize

                                                                56KB

                                                              • memory/3672-17-0x000000001C7E0000-0x000000001CD08000-memory.dmp

                                                                Filesize

                                                                5.2MB

                                                              • memory/3672-13-0x000000001BC40000-0x000000001BC4C000-memory.dmp

                                                                Filesize

                                                                48KB

                                                              • memory/3672-14-0x000000001BC50000-0x000000001BC58000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3672-16-0x000000001BC70000-0x000000001BC82000-memory.dmp

                                                                Filesize

                                                                72KB

                                                              • memory/3672-15-0x000000001BC60000-0x000000001BC6C000-memory.dmp

                                                                Filesize

                                                                48KB

                                                              • memory/4032-230-0x000002A7C8520000-0x000002A7C868A000-memory.dmp

                                                                Filesize

                                                                1.4MB

                                                              • memory/4112-482-0x0000021ED0A00000-0x0000021ED0C1C000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/4208-491-0x0000026361480000-0x000002636169C000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/4284-241-0x000001BDCBE00000-0x000001BDCBF6A000-memory.dmp

                                                                Filesize

                                                                1.4MB

                                                              • memory/4300-236-0x000001CA2BB90000-0x000001CA2BCFA000-memory.dmp

                                                                Filesize

                                                                1.4MB

                                                              • memory/4356-254-0x000001CB5E820000-0x000001CB5E98A000-memory.dmp

                                                                Filesize

                                                                1.4MB

                                                              • memory/4356-123-0x000001CB5E5D0000-0x000001CB5E5F2000-memory.dmp

                                                                Filesize

                                                                136KB

                                                              • memory/4376-502-0x00000288A3D90000-0x00000288A3FAC000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/4556-503-0x00000238F7BA0000-0x00000238F7DBC000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/4760-483-0x0000022C5EE50000-0x0000022C5F06C000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/4896-242-0x0000026A9FFE0000-0x0000026AA014A000-memory.dmp

                                                                Filesize

                                                                1.4MB

                                                              • memory/4932-260-0x000000001BE00000-0x000000001BE12000-memory.dmp

                                                                Filesize

                                                                72KB

                                                              • memory/5000-507-0x000001DEF8D50000-0x000001DEF8F6C000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                              • memory/5096-247-0x00000221BD200000-0x00000221BD36A000-memory.dmp

                                                                Filesize

                                                                1.4MB