Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 07:21

General

  • Target

    a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    a2076a85de5c50013fd48e423e2c2050

  • SHA1

    4ef4d4fd4cf21287ccb37baa4fc8a4efa31b6bd6

  • SHA256

    296ff7111b13564c6bffbc590f46a21188c873f95658d756c22425584453b9b6

  • SHA512

    ff45a43830600f097569378af3d957346f2e66bfbf65f5a89ba592c5b90ef0759bf7a587914fb84c3406b6624c2301652ed30440cde9701d18bdf68b46cfa1a3

  • SSDEEP

    49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MShxucCbpR.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1152
        • C:\Windows\Temp\Crashpad\reports\smss.exe
          "C:\Windows\Temp\Crashpad\reports\smss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2528
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e91a5fd6-2473-4eca-a721-d82924596864.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2452
            • C:\Windows\Temp\Crashpad\reports\smss.exe
              C:\Windows\Temp\Crashpad\reports\smss.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2404
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cfa6f23-718b-4828-abac-e81eb33b7df4.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:896
                • C:\Windows\Temp\Crashpad\reports\smss.exe
                  C:\Windows\Temp\Crashpad\reports\smss.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1864
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a85b11b-ae36-4e0d-8af0-74e7a0b8cdc1.vbs"
                    8⤵
                      PID:400
                      • C:\Windows\Temp\Crashpad\reports\smss.exe
                        C:\Windows\Temp\Crashpad\reports\smss.exe
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2536
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\159c9b7a-7d9e-4917-b6d8-d0de94a4887b.vbs"
                          10⤵
                            PID:1680
                            • C:\Windows\Temp\Crashpad\reports\smss.exe
                              C:\Windows\Temp\Crashpad\reports\smss.exe
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:3000
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36cd1339-fb03-417e-88c1-b7ce3e076bd6.vbs"
                                12⤵
                                  PID:1776
                                  • C:\Windows\Temp\Crashpad\reports\smss.exe
                                    C:\Windows\Temp\Crashpad\reports\smss.exe
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2108
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\702fd1a4-a25a-46f9-a8f7-827fdfd963c1.vbs"
                                      14⤵
                                        PID:2832
                                        • C:\Windows\Temp\Crashpad\reports\smss.exe
                                          C:\Windows\Temp\Crashpad\reports\smss.exe
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:1388
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac3eef52-dcb0-47b6-b93b-6b0ce8fef44f.vbs"
                                            16⤵
                                              PID:2888
                                              • C:\Windows\Temp\Crashpad\reports\smss.exe
                                                C:\Windows\Temp\Crashpad\reports\smss.exe
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:1592
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d04011-32b2-426d-8a48-641b46039470.vbs"
                                                  18⤵
                                                    PID:3064
                                                    • C:\Windows\Temp\Crashpad\reports\smss.exe
                                                      C:\Windows\Temp\Crashpad\reports\smss.exe
                                                      19⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:400
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc0bcd1c-c277-46ad-8953-792fa00f1e88.vbs"
                                                        20⤵
                                                          PID:2712
                                                          • C:\Windows\Temp\Crashpad\reports\smss.exe
                                                            C:\Windows\Temp\Crashpad\reports\smss.exe
                                                            21⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:2684
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e82c0598-8ac0-497f-bd9c-a40132e4e6d2.vbs"
                                                              22⤵
                                                                PID:2008
                                                                • C:\Windows\Temp\Crashpad\reports\smss.exe
                                                                  C:\Windows\Temp\Crashpad\reports\smss.exe
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:924
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97ef99bd-616e-49c6-8925-631d1cedea0a.vbs"
                                                                    24⤵
                                                                      PID:1960
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b9f6ce1-b2c4-4ec6-933c-92e52fc2a30f.vbs"
                                                                      24⤵
                                                                        PID:2068
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\186638af-fe8a-4fdd-b116-b3fa00935120.vbs"
                                                                    22⤵
                                                                      PID:2400
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8211f57-0f21-4891-9104-1a773fad3367.vbs"
                                                                  20⤵
                                                                    PID:2528
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a5ff9da-8dc4-438b-a317-0df0e83432a2.vbs"
                                                                18⤵
                                                                  PID:1324
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba59e1ee-d98e-476c-9de2-12f8bb6ecf03.vbs"
                                                              16⤵
                                                                PID:1700
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43dca75c-25d5-49dd-ba83-bac404d2dc93.vbs"
                                                            14⤵
                                                              PID:2732
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f9c7e93-d5d9-4998-917a-f7c6a8739f10.vbs"
                                                          12⤵
                                                            PID:2900
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93df9a78-56f4-4484-aa93-759f1f36b3d3.vbs"
                                                        10⤵
                                                          PID:3056
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b518053a-3d45-4410-9138-4e497851909a.vbs"
                                                      8⤵
                                                        PID:1500
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b3add36-0325-42a0-8a49-e1beb1538ef2.vbs"
                                                    6⤵
                                                      PID:2312
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6fcfda8-4f11-4d82-901e-45966a26f86f.vbs"
                                                  4⤵
                                                    PID:2412
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\reports\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2584
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2452
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2444
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2536
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2420
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2480
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2872
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1236
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2888
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2688
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2520
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2748
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2848
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2008
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2328
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1992
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1196
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1972
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2232
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2384
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1644
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:680
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Setup\State\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:352
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1484
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2908
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1620
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1512
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1092
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2268
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2280
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2252
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2396
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2068
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:544
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1792
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:452
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2372
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2992
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1744
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1552
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1816
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1860
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2776
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1640
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3056
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1372
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2176
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1488
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2196

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe

                                              Filesize

                                              2.9MB

                                              MD5

                                              61d0b223317fb3d7dd141ca6c81d59b6

                                              SHA1

                                              45672974018c8d5327ee45ba4377ab9b6b951050

                                              SHA256

                                              b130505bbf92ae14b3ad76af1d78a659c5b1f408b9a67a24a3b747200bde5e55

                                              SHA512

                                              198f744af2f7d9ee2ac308eee524b2e4fc006723357bde10543e3c8379a9e672d5035279605d9453b5ee5982f6ca01d8e99ae4fbedf518a80f9c35cc7d048a87

                                            • C:\Program Files\Windows Media Player\fr-FR\System.exe

                                              Filesize

                                              2.9MB

                                              MD5

                                              a2076a85de5c50013fd48e423e2c2050

                                              SHA1

                                              4ef4d4fd4cf21287ccb37baa4fc8a4efa31b6bd6

                                              SHA256

                                              296ff7111b13564c6bffbc590f46a21188c873f95658d756c22425584453b9b6

                                              SHA512

                                              ff45a43830600f097569378af3d957346f2e66bfbf65f5a89ba592c5b90ef0759bf7a587914fb84c3406b6624c2301652ed30440cde9701d18bdf68b46cfa1a3

                                            • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\RCX584F.tmp

                                              Filesize

                                              2.9MB

                                              MD5

                                              a110f4ee8b628db5cdc780304fadfc44

                                              SHA1

                                              01a161f4ba0680c1747f35677e51ac6efeeccc5e

                                              SHA256

                                              59c05faef7f2418969e5c663f0b55b34f79e8079ec16159c3de814caac76a512

                                              SHA512

                                              0ef461ea6b4d4b6df998771e4a3bf64a4523b8efc8fc55604d248355210a05ecfe8eef2a65bfc125fb468b902f36f2ed1a91b3a055ff3ba66ca35a68eeb74990

                                            • C:\Users\Admin\AppData\Local\Temp\159c9b7a-7d9e-4917-b6d8-d0de94a4887b.vbs

                                              Filesize

                                              717B

                                              MD5

                                              5f8cffc181f94542aab1d27fb96c3bde

                                              SHA1

                                              f78a1f7c5cf343e020275b131fcb91e749cf8dba

                                              SHA256

                                              06094dc0795d35bded7024c2cf095b898e7fd375b13313fb881d5720a00ecd59

                                              SHA512

                                              4cd460bf74b7d168a8d84c8ca5bcb52a235d2712cbe6a9b6c156164023153a84e0fef30b7fd1743e206de95dbc73a49a8fe0f76449aee7853a19a2a4dd3d478b

                                            • C:\Users\Admin\AppData\Local\Temp\36cd1339-fb03-417e-88c1-b7ce3e076bd6.vbs

                                              Filesize

                                              717B

                                              MD5

                                              64d90f9a8d3a546db27cab0439a393b6

                                              SHA1

                                              c07693b1b760e1439f9ebf9403ce9455a08693f1

                                              SHA256

                                              5d2a5ab6d065e66c33d1822ec5f6fb7f7530bc6c2c493b8313c04024baa481bb

                                              SHA512

                                              696d65c6756b56f941a69a896e2cae5e27cdd4284deafc8a776f66a56d15a75d357acd84f9da6d01ee81cd5d9b257d75e7f2afb18980681a9e664110cf6eac12

                                            • C:\Users\Admin\AppData\Local\Temp\3cfa6f23-718b-4828-abac-e81eb33b7df4.vbs

                                              Filesize

                                              717B

                                              MD5

                                              51adee7793191370be5544da53291f31

                                              SHA1

                                              2a182f9d272fb2311a08000be503b9ac3f7cc4e5

                                              SHA256

                                              233c9d984be0451f27976ee1dd25cecbd91db4c90d90eac38fe7a4b06061705f

                                              SHA512

                                              c2438341c509758d5516cd2a944d90829ca75fff0bfa2adb47bdee973bde3a765889afe45363bf33fecece5448aef6080c71b4e26f83ca1cae8a29d5e5c19d0b

                                            • C:\Users\Admin\AppData\Local\Temp\60d04011-32b2-426d-8a48-641b46039470.vbs

                                              Filesize

                                              717B

                                              MD5

                                              f16e0b8e9527ce0670c3ed80666179e3

                                              SHA1

                                              a6a819e061b0e164a3c6b742664f097e414f80c3

                                              SHA256

                                              86ea86ac4bc96f798ae4793e2a0e8ee84e0684740f1375223691d4bbec389de2

                                              SHA512

                                              464038cd65dfa456923ee343ca09577857ab7e6d532c098d342c2d5b46388fdfafa26804ddb3abf2dda88f45b69fabf395ffc30bdc03a2f3f402c46010d59a6c

                                            • C:\Users\Admin\AppData\Local\Temp\702fd1a4-a25a-46f9-a8f7-827fdfd963c1.vbs

                                              Filesize

                                              717B

                                              MD5

                                              30270276a081b74ac73c597fd2eb6743

                                              SHA1

                                              3dcc62d850acfd770e6ff5ea43e3280952593b57

                                              SHA256

                                              3f17593717c0b234ae3e1d7f51ceaf421bedda8032a0343c17bcbbfb57a1a22a

                                              SHA512

                                              bf0d92b6ab8be3f32099f8985955dd1d6b3b29f64794d5463ab16873c8c194c8780fd4d5a1e7e6240c61054362acef133d2009e1d9ffbf16ec8645eb5385052e

                                            • C:\Users\Admin\AppData\Local\Temp\97ef99bd-616e-49c6-8925-631d1cedea0a.vbs

                                              Filesize

                                              716B

                                              MD5

                                              220d1f3d394c91926447bc8d438415cf

                                              SHA1

                                              3d5b5d01cab4452d274739fe3ea54686b6287d40

                                              SHA256

                                              2865316de681772804c8a3e08ba88008d6d00846416a4704da84ec18cd0b797a

                                              SHA512

                                              9116ba5d2be4a194edf6a8ebc007e3543991426e4fd11887a242e28c35376e23bd1424f44151369cc9de0f91ad7176abe8d9b76090912f576053ac154eab9610

                                            • C:\Users\Admin\AppData\Local\Temp\9a85b11b-ae36-4e0d-8af0-74e7a0b8cdc1.vbs

                                              Filesize

                                              717B

                                              MD5

                                              a7f22205db3673c28098303b29338059

                                              SHA1

                                              322df7c5aa4f95463bd22990a36bd8527bcd64b5

                                              SHA256

                                              ec62fa6fd8ec5880da281f7235a82bf4ed6fd495114c6f54cb3178f704b36685

                                              SHA512

                                              f52604ccdde57c78eaafa0f01ae64f00f412baf5275379df6b1cf9550a9abb1364818e58a9f7ff8d86637a884635aae94d90e2a03f42c14748df9b54d17cb8a9

                                            • C:\Users\Admin\AppData\Local\Temp\MShxucCbpR.bat

                                              Filesize

                                              206B

                                              MD5

                                              461415bf43e631f91a657904e5c432c8

                                              SHA1

                                              ad718da9108a565f9a6cfc48844f52aedbece4a1

                                              SHA256

                                              bef3d33ce9078f3709972515229a6f7e110b594c673ec19dfa05ea71721e9294

                                              SHA512

                                              0ee0accd239bea0eb94e50236e7b46b169b97d30a544b0afe32772d89d00be064e31ac66977a122651538d054fc99f41e323b25a362b1ea9c6355a67024fdd72

                                            • C:\Users\Admin\AppData\Local\Temp\a6fcfda8-4f11-4d82-901e-45966a26f86f.vbs

                                              Filesize

                                              493B

                                              MD5

                                              734ac567be69f7fdb2fa45f00a1965e6

                                              SHA1

                                              9cd98ac32beef4f8ed29fa91399b02659e5b3f65

                                              SHA256

                                              bc4cb7e86d1e85bbc405ae97b86703998afd1873f2c0e31a49f705cdcb50d7bc

                                              SHA512

                                              6a52eb08759df061010f1709fcd2a4b92a4df10a99682c26a2e3e1e8b6bc41b47d440ed9482e32b7f125904a07238fc64e049b3ef21a462618b6060f000b5e92

                                            • C:\Users\Admin\AppData\Local\Temp\ac3eef52-dcb0-47b6-b93b-6b0ce8fef44f.vbs

                                              Filesize

                                              717B

                                              MD5

                                              e59d9a6cb1b018c6d89a9746c41bb117

                                              SHA1

                                              a7ff9d9f7b007129aa7dbddb40f3b7dbcc471f04

                                              SHA256

                                              752abe117be767786870864c31ff24ffc999d38667c0d2b25c6ce83563c7423d

                                              SHA512

                                              f92bd8d1a6347e97cd18be7b0e02cef4340de0e54383481731932e194946026077a1d5e9da7595177cc0a1b5c1dbbd4a3f6e35b57878501045554fd34276f373

                                            • C:\Users\Admin\AppData\Local\Temp\cc0bcd1c-c277-46ad-8953-792fa00f1e88.vbs

                                              Filesize

                                              716B

                                              MD5

                                              aee8ab1bc64e514c82c0aab56880961a

                                              SHA1

                                              df6d315af9698bb13d48201c66a8310a227f40b5

                                              SHA256

                                              c79b4a3ae7c15670378ecdb45d1c9bb38d092538c0e42567091cab7f5e8484a9

                                              SHA512

                                              1ddc903b5be0db0eb087ad02d0c8c4d7f3a6cc2ed43592a9b8c5cd1902b337bba2c4b3b70b9e4a2da86be32c9a91951b28dc112b6b1d69b7365dbf018a96e285

                                            • C:\Users\Admin\AppData\Local\Temp\cedea5fd2ec7d8edbb7961abc5ad526ecea37333.exe

                                              Filesize

                                              2.9MB

                                              MD5

                                              f0e9d7dd85333e0d1fe274f674867505

                                              SHA1

                                              78333b627d35c6cb84c6f1d2187523fda85bd78c

                                              SHA256

                                              37a634020e504e5b9f8c66ca1853392d829b3be3378640682710f7b81fc491f1

                                              SHA512

                                              efbb8a5389fb22caacecad15a33afe50f9cce2477d346945734f218bddd46827b96099409c193612f3faf963f380ed4dd28d2aa9ea942bef2821f0e8f405ed72

                                            • C:\Users\Admin\AppData\Local\Temp\e82c0598-8ac0-497f-bd9c-a40132e4e6d2.vbs

                                              Filesize

                                              717B

                                              MD5

                                              e367cd0d8f85f7f38138c0ae7cc15acb

                                              SHA1

                                              889b33ca4da239ada23a6c54a41a08f400a15a31

                                              SHA256

                                              8be69f1fad662a302cffc84dcf3520949c88bdd6ff4dc5d07bbc1392389cc643

                                              SHA512

                                              5877d0c4c1b1ccdfe6957d95ec7e84215c2ebeef06ac5782b465114ba419c42afbb36e633aef20c55ba773fe462ff02dadc4ab2352a3c1880b72415b4bbc29c0

                                            • C:\Users\Admin\AppData\Local\Temp\e91a5fd6-2473-4eca-a721-d82924596864.vbs

                                              Filesize

                                              717B

                                              MD5

                                              965aed64ec713061e1d2c6c428693a55

                                              SHA1

                                              f6d21cf7a6a4f5168602178b633c0c28df593e5e

                                              SHA256

                                              637fff82e7a95ded14555e8d548253c925115520e795aca8de3455ac0f00786a

                                              SHA512

                                              4b57968675d982ea74bce3a3f7ce43fbfb2a69cff85a7621b5cddf74be2e45c9cbd3d677a854b19e5b4b1183f19e36cc37e3d5ca9132115bc7624dbefd136215

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              166da7ed7589780562ec96ec9e99ad90

                                              SHA1

                                              0b9799074cb7bf43cbf6a9db5c18f242c4c20381

                                              SHA256

                                              233898991307a12f09ee3c81c6456642b0464cd94be2f8dab35b6d6edf0b1ce1

                                              SHA512

                                              15d9c803d8ea91f277afde654989d84df20c230f61d97974b05cc2a02906d420cf2be88b8c437b315b0eb16fb4c9b39e9d24b2b233bc4d3781b21d8b3aec235f

                                            • memory/400-339-0x00000000001E0000-0x00000000004C6000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/400-340-0x00000000007E0000-0x00000000007F2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/924-366-0x0000000000F50000-0x0000000001236000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/924-367-0x0000000000500000-0x0000000000556000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/924-368-0x0000000000B20000-0x0000000000B32000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1388-315-0x0000000000770000-0x0000000000782000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1592-327-0x0000000000D60000-0x0000000000DB6000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/1796-191-0x000000001B780000-0x000000001BA62000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1796-193-0x0000000001D80000-0x0000000001D88000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1864-268-0x0000000000BB0000-0x0000000000E96000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2224-15-0x0000000002480000-0x0000000002492000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2224-17-0x000000001AB70000-0x000000001AB78000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2224-24-0x000000001AFB0000-0x000000001AFBA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2224-23-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2224-208-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2224-22-0x000000001AF90000-0x000000001AF9C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2224-1-0x0000000000380000-0x0000000000666000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2224-21-0x000000001ABB0000-0x000000001ABBE000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2224-20-0x000000001ABA0000-0x000000001ABA8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2224-25-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2224-2-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2224-19-0x000000001AB90000-0x000000001AB9E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2224-18-0x000000001AB80000-0x000000001AB8A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2224-5-0x00000000021D0000-0x00000000021E0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/2224-16-0x000000001AB60000-0x000000001AB68000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2224-0-0x000007FEF5773000-0x000007FEF5774000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2224-3-0x0000000000740000-0x000000000075C000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/2224-4-0x00000000006B0000-0x00000000006B8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2224-14-0x0000000002470000-0x000000000247C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2224-13-0x0000000002460000-0x0000000002468000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2224-12-0x0000000002450000-0x000000000245C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2224-11-0x000000001AAF0000-0x000000001AB46000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/2224-10-0x0000000002440000-0x000000000244A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2224-9-0x0000000002430000-0x0000000002440000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/2224-8-0x0000000002290000-0x0000000002298000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2224-7-0x0000000002280000-0x0000000002288000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2224-6-0x00000000021E0000-0x00000000021F6000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/2404-255-0x00000000009B0000-0x0000000000C96000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2404-256-0x0000000002560000-0x00000000025B6000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/2528-244-0x0000000000830000-0x0000000000B16000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2684-353-0x0000000000E40000-0x0000000000E96000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/2684-354-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2684-352-0x0000000000E90000-0x0000000001176000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/3000-292-0x0000000000B10000-0x0000000000B22000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3000-291-0x0000000001100000-0x00000000013E6000-memory.dmp

                                              Filesize

                                              2.9MB