Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 07:48

General

  • Target

    a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    a76c3992f0ce41945386691b991de4f0

  • SHA1

    694416f5f2cc6579af87f08175b52f9039930972

  • SHA256

    92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023

  • SHA512

    6f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870

  • SSDEEP

    49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 42 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 13 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Checks whether UAC is enabled 1 TTPs 28 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3188
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bTZqdeVjxS.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:692
        • C:\Users\Default User\SearchApp.exe
          "C:\Users\Default User\SearchApp.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:644
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3377673-5238-46aa-8bb8-d337e3a1bef2.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4856
            • C:\Users\Default User\SearchApp.exe
              "C:\Users\Default User\SearchApp.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4924
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcb50ee3-b6f0-43f8-9888-feec33f690fb.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4372
                • C:\Users\Default User\SearchApp.exe
                  "C:\Users\Default User\SearchApp.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:4608
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d2159b-bb97-4abc-af96-3ed50b8cb3a8.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3364
                    • C:\Users\Default User\SearchApp.exe
                      "C:\Users\Default User\SearchApp.exe"
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:876
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c287d85-ea58-4341-8bfc-8b0874a4ed11.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4468
                        • C:\Users\Default User\SearchApp.exe
                          "C:\Users\Default User\SearchApp.exe"
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:2524
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90df0a3-2cfe-403d-afe5-947beea7e1c2.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3328
                            • C:\Users\Default User\SearchApp.exe
                              "C:\Users\Default User\SearchApp.exe"
                              13⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:4336
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d92a96b-da55-481a-9c25-8e69c0c4aa13.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2160
                                • C:\Users\Default User\SearchApp.exe
                                  "C:\Users\Default User\SearchApp.exe"
                                  15⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:3572
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f6c84fe-45a2-4391-b30d-471e97ccee82.vbs"
                                    16⤵
                                      PID:4964
                                      • C:\Users\Default User\SearchApp.exe
                                        "C:\Users\Default User\SearchApp.exe"
                                        17⤵
                                        • UAC bypass
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:2436
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6583eeca-7b46-4c2e-a3fa-dca195e9217d.vbs"
                                          18⤵
                                            PID:2288
                                            • C:\Users\Default User\SearchApp.exe
                                              "C:\Users\Default User\SearchApp.exe"
                                              19⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:5084
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b6f1efd-1373-4290-bef9-69906f9689fd.vbs"
                                                20⤵
                                                  PID:1932
                                                  • C:\Users\Default User\SearchApp.exe
                                                    "C:\Users\Default User\SearchApp.exe"
                                                    21⤵
                                                    • UAC bypass
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:956
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ced3bcd-7119-40ff-bc04-2ebab54349ee.vbs"
                                                      22⤵
                                                        PID:2172
                                                        • C:\Users\Default User\SearchApp.exe
                                                          "C:\Users\Default User\SearchApp.exe"
                                                          23⤵
                                                          • UAC bypass
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:4336
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92305b84-615e-4c51-a82c-17f274c8b008.vbs"
                                                            24⤵
                                                              PID:3188
                                                              • C:\Users\Default User\SearchApp.exe
                                                                "C:\Users\Default User\SearchApp.exe"
                                                                25⤵
                                                                • UAC bypass
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • System policy modification
                                                                PID:3964
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5af9c4f-13a5-4736-92cb-6efda4eaad09.vbs"
                                                                  26⤵
                                                                    PID:1636
                                                                    • C:\Users\Default User\SearchApp.exe
                                                                      "C:\Users\Default User\SearchApp.exe"
                                                                      27⤵
                                                                      • UAC bypass
                                                                      • Executes dropped EXE
                                                                      • Checks whether UAC is enabled
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • System policy modification
                                                                      PID:3296
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77f7ad0a-f3d8-41c3-ae2e-6e87b43ad04e.vbs"
                                                                    26⤵
                                                                      PID:3748
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5670110e-3ece-43e1-93f5-0e2665f1088c.vbs"
                                                                  24⤵
                                                                    PID:2540
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cfd9777-dd1e-4dad-80b7-6a7b50b44985.vbs"
                                                                22⤵
                                                                  PID:4108
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1abcac1-f3de-4583-ba26-b9d13da5a272.vbs"
                                                              20⤵
                                                                PID:4864
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b25e896-ad08-4a49-bf38-15ccf5350c54.vbs"
                                                            18⤵
                                                              PID:4684
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0c6a276-ec10-4e2e-99cf-8f1bc3edb5c3.vbs"
                                                          16⤵
                                                            PID:3752
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\208485dc-94bc-4d0e-82ba-6f73131f7da7.vbs"
                                                        14⤵
                                                          PID:464
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03fed305-4fb7-4f39-8578-8a16ea1aa5e3.vbs"
                                                      12⤵
                                                        PID:404
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\378d01be-84b0-4205-9c10-cbd8aa48f517.vbs"
                                                    10⤵
                                                      PID:4448
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1141c1a3-4ab9-45b6-9401-0c7808347786.vbs"
                                                  8⤵
                                                    PID:1516
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90ddbed6-cf46-4a00-a1eb-8748b22212a6.vbs"
                                                6⤵
                                                  PID:2644
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a985be6-bb15-4b70-9027-e9a6b09f1f34.vbs"
                                              4⤵
                                                PID:5040
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1492
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4636
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4840
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4864
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3288
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1108
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1232
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4092
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\sihost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:5084
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4228
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3368
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1260
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2284
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2264
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3272
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2568
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1676
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\OfficeClickToRun.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4472
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4824
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1576
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1296
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1424
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2180
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3584
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1300
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:548
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:724
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4464
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2288
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3764
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1488
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1552
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3728
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3240
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2552
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2732
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3820
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2668
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1836
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2356
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1456
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:5024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4176
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4812
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3832
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4028

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe

                                          Filesize

                                          2.9MB

                                          MD5

                                          a76c3992f0ce41945386691b991de4f0

                                          SHA1

                                          694416f5f2cc6579af87f08175b52f9039930972

                                          SHA256

                                          92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023

                                          SHA512

                                          6f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870

                                        • C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe

                                          Filesize

                                          2.9MB

                                          MD5

                                          2076220deaaeda79cbcd385dda4a1135

                                          SHA1

                                          d596dcfdf47f7c31c495477032f8c58520e15048

                                          SHA256

                                          26632d2e192536fb43ac2c610dd1efa91b41179d040276004c4fd37cc5245b54

                                          SHA512

                                          93263d7c2891402c3cf1b2007403b081f2a74a892c14bc757da166e347b6a42d247240460247523b6f9fe876c34962f3e0c010a7ba21c95b14403c621effc941

                                        • C:\Program Files\Windows Sidebar\Gadgets\RCX69E4.tmp

                                          Filesize

                                          2.9MB

                                          MD5

                                          3f589e3b8016af54850b0adff9e6d021

                                          SHA1

                                          9da46554b8904adf9f5b975311464cc871223afd

                                          SHA256

                                          860ef4434663f7377e1e71372b99cbf21438865a4a48c736619a21daa106b92a

                                          SHA512

                                          1e3faeaac8289bff7a26c7baceb73072ab3f1545bee7d007407c1679e33ea675c2220848f9eb78aab47a0e528c67fa994e0d5116646b1ed687c42ae87fe6810a

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

                                          Filesize

                                          1KB

                                          MD5

                                          4a667f150a4d1d02f53a9f24d89d53d1

                                          SHA1

                                          306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                          SHA256

                                          414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                          SHA512

                                          4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                          Filesize

                                          2KB

                                          MD5

                                          d85ba6ff808d9e5444a4b369f5bc2730

                                          SHA1

                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                          SHA256

                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                          SHA512

                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          d28a889fd956d5cb3accfbaf1143eb6f

                                          SHA1

                                          157ba54b365341f8ff06707d996b3635da8446f7

                                          SHA256

                                          21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                          SHA512

                                          0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          bd5940f08d0be56e65e5f2aaf47c538e

                                          SHA1

                                          d7e31b87866e5e383ab5499da64aba50f03e8443

                                          SHA256

                                          2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                          SHA512

                                          c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          cadef9abd087803c630df65264a6c81c

                                          SHA1

                                          babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                          SHA256

                                          cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                          SHA512

                                          7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                        • C:\Users\Admin\AppData\Local\Temp\1c287d85-ea58-4341-8bfc-8b0874a4ed11.vbs

                                          Filesize

                                          710B

                                          MD5

                                          ba405b5f0696c5e082d262ae388c6554

                                          SHA1

                                          646af058b14ec53688edbbc6066aea18a52be298

                                          SHA256

                                          216f7b1616d258b15ec3f9fb676a961a91fa998543affb8c8d32e5636ae86e8c

                                          SHA512

                                          b2807e7571d5b68a0c59ad5194ada5c75eb2a1e5aba97f6e5a467baecda2ebd46de37894ddb11ce857ff4187db4692ffb9a99a411231751eb1e2b48a56f41e32

                                        • C:\Users\Admin\AppData\Local\Temp\1ced3bcd-7119-40ff-bc04-2ebab54349ee.vbs

                                          Filesize

                                          710B

                                          MD5

                                          0f03e10f43939cd33d379837eab39517

                                          SHA1

                                          27965f9997fe1790a395f98d001603632dc59ee4

                                          SHA256

                                          6587f7777a3f4a236424c1e652c724ff06a968f5727135873c854ecd8a32f623

                                          SHA512

                                          b0f03a8bd718a1263618b847cd8368837788465642c32f827d1da1e535a7140ac614ec342994f545aeb1d803fa6da863c8174770fe83d4587e1cf2eceabeaa6a

                                        • C:\Users\Admin\AppData\Local\Temp\2d92a96b-da55-481a-9c25-8e69c0c4aa13.vbs

                                          Filesize

                                          711B

                                          MD5

                                          df0e49d3733578449a63371740df62a3

                                          SHA1

                                          2bd290be5e1317c0b8c7ed9da595cb264030c445

                                          SHA256

                                          f545820e4becea6b7ea2aba88aebb3168d9dfaced4a7134d5735e84ee1bb2ae1

                                          SHA512

                                          3fc7da1127dabb161a938be1df519c9a693d131efc5fad08527c75df4da5a2701342a3c2ba1b9ed59c9fe7c24592ace17fccf18057a82ad9b200667da109cdc0

                                        • C:\Users\Admin\AppData\Local\Temp\58d2159b-bb97-4abc-af96-3ed50b8cb3a8.vbs

                                          Filesize

                                          711B

                                          MD5

                                          faeb6c65b9f1ab74ac23b1b0a416d45d

                                          SHA1

                                          8cb57d1c57f4673f309a6816aa26e550ea4f4a86

                                          SHA256

                                          5827f1027bdf2786105d5e9cf19d790df08fa2d4e2341d795151e64c00e29db8

                                          SHA512

                                          8bced1dc25e16c82c990654174dcd2f1758a328470e8d7ab1ad23763afe861de0a8ff896442bd300e9bc4087bf59acee79a3be183702d28d4263b8040140c4bf

                                        • C:\Users\Admin\AppData\Local\Temp\5b6f1efd-1373-4290-bef9-69906f9689fd.vbs

                                          Filesize

                                          711B

                                          MD5

                                          274f12ee35485636d99fd332fe162790

                                          SHA1

                                          4ef1a98923d30b69037fed7b0b0925d23b82dae4

                                          SHA256

                                          6db09f41968962d903c06f8a5df967b5deb0dc199655c648145515bc95fd323e

                                          SHA512

                                          102647363bc02002bd786ccd8af0d098fbc50236d0c9894a882e36a12b4f8ba938b7ed5a6b68fa7ee8897fed4ef50433e3605ce32c73b4f93ac6dafa61e39c52

                                        • C:\Users\Admin\AppData\Local\Temp\6583eeca-7b46-4c2e-a3fa-dca195e9217d.vbs

                                          Filesize

                                          711B

                                          MD5

                                          1bccd0b10698534c4c1e83b3c591a8a0

                                          SHA1

                                          2afd8dda976f194b13b91d9fa2119dcc5d70e596

                                          SHA256

                                          fb99aa84d11d9288c6007113b9df3743b47bd99f1af444e07e0781748ca937c2

                                          SHA512

                                          143a03ec53aedf76c49298d276603f1ab710599e92750ea24fdb3269bbd3d2848ed91d6751a43a2f9fb2e07f30c6aa3f2e770025ef1d9f642c33bdc81338f19d

                                        • C:\Users\Admin\AppData\Local\Temp\7f6c84fe-45a2-4391-b30d-471e97ccee82.vbs

                                          Filesize

                                          711B

                                          MD5

                                          e1426dd2381cebbfbacd6cfc5db09dab

                                          SHA1

                                          0ca4e4b21f8c08f1961fc11ec783e239a7585b21

                                          SHA256

                                          bdbd845200eb71ea51d1493fe087ab1c0c73217d0192a54a996b3f05ab0d72ab

                                          SHA512

                                          20b814e48e913adaac66b0ea1673c84d4ccd5a14ebd38fd8a01e0d8d857ea5cb040cfaa8eb591093955109766b6d6552466a525d0ba5ce8a975ee37d5e4259a6

                                        • C:\Users\Admin\AppData\Local\Temp\8a985be6-bb15-4b70-9027-e9a6b09f1f34.vbs

                                          Filesize

                                          487B

                                          MD5

                                          c52b233e583489e5f7433572f077f5b4

                                          SHA1

                                          f68785bbba4de7b51af0b12a09756b9d0b6d6578

                                          SHA256

                                          37b28683903d250d38d3618bb1c35be0610deabafd92890cef6ac9b436fa17ce

                                          SHA512

                                          e084ee7c658be8e3d1ac33d82d1a8b483e256d7ceb1997eb662fb60730f920dcc118ddb8ae5e36c6f5a0118b5ad3ecfd9e8603416206f5dacf666fd95c3d3767

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01qsignx.dhs.ps1

                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        • C:\Users\Admin\AppData\Local\Temp\bTZqdeVjxS.bat

                                          Filesize

                                          200B

                                          MD5

                                          8f1c52e7f6b4601d0dfb001cbde5c9b5

                                          SHA1

                                          e17bdd2c425bb0a748f44ad38f8f8a333165ab13

                                          SHA256

                                          c21604e4995a81d56d169fdca375f922023ee39822ca013ef9d92807698b381c

                                          SHA512

                                          734d75fce9f8d530580468a2cf716c345ee2373ad0fbbc547b9a8fdc0947ffc67e821fcd9e1c7fb9225ceaf3c86638143187e1a922d00e6091512aaba2d8437d

                                        • C:\Users\Admin\AppData\Local\Temp\d5af9c4f-13a5-4736-92cb-6efda4eaad09.vbs

                                          Filesize

                                          711B

                                          MD5

                                          e7e7cc0bf01f6b154916379ba3ecb980

                                          SHA1

                                          9fc44a0758fe17ce197aa25658f6dc36bfe8ed05

                                          SHA256

                                          ed5db7c1e7effd9894e7838869f2b1a069dd447d6b5bc8db8ac03f2774368b86

                                          SHA512

                                          2f25520639459e4a2444fc75da8d6805702e41e4fd4b27fc24e9e4561acc170d104406dafe769e84bddeab91c61b22f017fc46f3b595041ea9bb439d2016ddb6

                                        • C:\Users\Admin\AppData\Local\Temp\dcb50ee3-b6f0-43f8-9888-feec33f690fb.vbs

                                          Filesize

                                          711B

                                          MD5

                                          1e7168949d87de32fd265a56f31514fa

                                          SHA1

                                          dd8a0c66b23c6077e02478aaf3ff4660ecf643a2

                                          SHA256

                                          16f213a83fb556f6714ba9e43730922f0a45395d1cbd1d10b8b270698ab1468f

                                          SHA512

                                          f710a71191e598833d029404a134b94b32d3a0028124694c21e7fbd998b1c83bd4fb3b777493dcd3315b39b6a2bea5fcb3ee61ec509879f3397a5a545b5591ba

                                        • C:\Users\Admin\AppData\Local\Temp\f3377673-5238-46aa-8bb8-d337e3a1bef2.vbs

                                          Filesize

                                          710B

                                          MD5

                                          685ff2f58c23bb1bff6e280b2c1ba8f8

                                          SHA1

                                          14c3b125f9610fa8a445d746ca7bf592053433a4

                                          SHA256

                                          cabcc11c67c17ee64b263d6f258dbf763d7702981f38ec4375b97f88248e4efd

                                          SHA512

                                          7a573a6e5cba72a40869451ec2172c40ada89f831c3504e74310a7606c93f41003115a155bebd78500151aac8debefef16ba89727ba785cd2f57dd6b58857073

                                        • C:\Users\Admin\AppData\Local\Temp\f90df0a3-2cfe-403d-afe5-947beea7e1c2.vbs

                                          Filesize

                                          711B

                                          MD5

                                          18c91d97244066aeb1541d7e7824497b

                                          SHA1

                                          9929aac56a2f638770f2b454ae13585944745d02

                                          SHA256

                                          0db8026a03abc63c3e775bb202c081d91ca2b69f8bf308a8452dec9079bba303

                                          SHA512

                                          e66e69a653e33f0ac02b9e4482282a8363ed1af54d4fe97a727bb2a39450a7a6f45953325e1a5e292c4365ab8ad157170db29a0d1560e771506017eb1185ae42

                                        • C:\Users\Admin\sihost.exe

                                          Filesize

                                          2.9MB

                                          MD5

                                          31041dd60a6c75eb61e4659f3b3807f9

                                          SHA1

                                          dfd330395b119125f606bea62c627b4dfb1e7ee1

                                          SHA256

                                          f137c910af59a38f421b56f4d30f2273ac5f70de2fb16ddae04f716dc462bcb9

                                          SHA512

                                          9030c782118650a9ce9b6efd0853fb5ef76b4ff6484616421e75031c55ee2ed52ea71e39693878224a01d279cbcf48e1dde4ea8cb7f9a534c036a0f477548006

                                        • C:\Users\Public\Videos\RuntimeBroker.exe

                                          Filesize

                                          2.9MB

                                          MD5

                                          50ccccd7fbbdad41f811b17823c8c9df

                                          SHA1

                                          14a985bf894aae6162b6ba47b2d8a3a72284a09a

                                          SHA256

                                          c88a6e96d6f23b84050e855dbe400e766e9a250689d2a5694d6ef9936e2ed2b6

                                          SHA512

                                          65cd027b8344f4563ddd2609c2bb23e3096d7121e49b014fe3043ed95414ce053659524e50c8a4c9eb11b0e06aa25f4820fbf3ed0c72dde76f5841ae4c05a109

                                        • memory/956-416-0x000000001C7E0000-0x000000001C8E2000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/1104-187-0x00000178A4EB0000-0x00000178A4ED2000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/1192-15-0x000000001C3B0000-0x000000001C3BC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1192-26-0x000000001C360000-0x000000001C36A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/1192-13-0x000000001C290000-0x000000001C29C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1192-0-0x00007FFBFB903000-0x00007FFBFB905000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1192-27-0x000000001C370000-0x000000001C37C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1192-25-0x000000001C350000-0x000000001C358000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1192-22-0x000000001C320000-0x000000001C328000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1192-177-0x00007FFBFB900000-0x00007FFBFC3C1000-memory.dmp

                                          Filesize

                                          10.8MB

                                        • memory/1192-20-0x000000001C300000-0x000000001C30A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/1192-23-0x000000001C330000-0x000000001C33E000-memory.dmp

                                          Filesize

                                          56KB

                                        • memory/1192-18-0x000000001C2E0000-0x000000001C2E8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1192-17-0x000000001C8F0000-0x000000001CE18000-memory.dmp

                                          Filesize

                                          5.2MB

                                        • memory/1192-16-0x000000001C2B0000-0x000000001C2C2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1192-24-0x000000001C340000-0x000000001C34C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1192-1-0x0000000000C50000-0x0000000000F36000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1192-19-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1192-12-0x000000001C240000-0x000000001C296000-memory.dmp

                                          Filesize

                                          344KB

                                        • memory/1192-11-0x000000001C230000-0x000000001C23A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/1192-7-0x000000001C190000-0x000000001C1A6000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/1192-10-0x000000001C220000-0x000000001C230000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1192-9-0x000000001C1C0000-0x000000001C1C8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1192-8-0x000000001C1B0000-0x000000001C1B8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1192-14-0x000000001C2A0000-0x000000001C2A8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1192-5-0x00000000030C0000-0x00000000030C8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1192-6-0x000000001C180000-0x000000001C190000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1192-4-0x000000001C1D0000-0x000000001C220000-memory.dmp

                                          Filesize

                                          320KB

                                        • memory/1192-3-0x000000001C160000-0x000000001C17C000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/1192-2-0x00007FFBFB900000-0x00007FFBFC3C1000-memory.dmp

                                          Filesize

                                          10.8MB

                                        • memory/1192-21-0x000000001C310000-0x000000001C31E000-memory.dmp

                                          Filesize

                                          56KB

                                        • memory/4336-361-0x000000001B810000-0x000000001B822000-memory.dmp

                                          Filesize

                                          72KB