Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 00:58

General

  • Target

    6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    6a9aaa3fc23d1561df97e3f9eb2de110

  • SHA1

    d0effad0bad292fb0bcb377cbafacd8db83a474e

  • SHA256

    9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565

  • SHA512

    7350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c

  • SSDEEP

    49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 45 IoCs
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 30 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2072
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2328
        • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
          "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2236
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49826c25-5c99-4bc1-aa3f-4a738c1ab5e2.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2080
            • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
              "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2436
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bbdc585-da7f-4571-9fac-1cb196e7f7f4.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1416
                • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                  "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1988
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54e22a20-532b-4fa5-a601-e7966162b9dc.vbs"
                    8⤵
                      PID:1720
                      • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                        "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:1576
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab9cc3c9-0286-43f6-beb3-dc9eb48f02b6.vbs"
                          10⤵
                            PID:2088
                            • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                              "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:2676
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd28b351-d58b-4743-95cd-b85d6e0bc30d.vbs"
                                12⤵
                                  PID:1236
                                  • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                                    "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2204
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1144ab3c-b35d-41f5-b82d-b7e715f57d14.vbs"
                                      14⤵
                                        PID:2588
                                        • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                                          "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2884
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3329b7e-3343-4468-87e9-32c0397bd0bc.vbs"
                                            16⤵
                                              PID:2416
                                              • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                                                "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:1736
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e29a1080-1ed8-4f23-a275-d0f29b93cf5c.vbs"
                                                  18⤵
                                                    PID:2740
                                                    • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                                                      "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                                                      19⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:2492
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9be8320-80fa-4dc0-99a4-dfa97402f70f.vbs"
                                                        20⤵
                                                          PID:812
                                                          • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                                                            "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                                                            21⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:2088
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a07731de-3150-4c5a-bade-fdb118f8f4da.vbs"
                                                              22⤵
                                                                PID:1536
                                                                • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                                                                  "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:1948
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49a39565-ba88-4436-99d1-f3fdd6b76258.vbs"
                                                                    24⤵
                                                                      PID:2104
                                                                      • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                                                                        "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                                                                        25⤵
                                                                        • UAC bypass
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:2504
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80d6d7fb-e896-49a5-811a-a4e7dd703909.vbs"
                                                                          26⤵
                                                                            PID:1564
                                                                            • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                                                                              "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                                                                              27⤵
                                                                              • UAC bypass
                                                                              • Executes dropped EXE
                                                                              • Checks whether UAC is enabled
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • System policy modification
                                                                              PID:1520
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6343f0ad-b255-429d-b213-78c192783808.vbs"
                                                                                28⤵
                                                                                  PID:2964
                                                                                  • C:\Program Files\Windows Sidebar\es-ES\Idle.exe
                                                                                    "C:\Program Files\Windows Sidebar\es-ES\Idle.exe"
                                                                                    29⤵
                                                                                    • UAC bypass
                                                                                    • Executes dropped EXE
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • System policy modification
                                                                                    PID:2556
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\589ef245-c9bb-443e-8ca5-b45d1d50d637.vbs"
                                                                                      30⤵
                                                                                        PID:556
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ae23af8-939f-4d80-8691-30b9e82ec339.vbs"
                                                                                        30⤵
                                                                                          PID:1860
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ce710fd-9994-4f5a-bb6a-bb4f08529873.vbs"
                                                                                      28⤵
                                                                                        PID:2596
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e93b0419-f4e4-49b8-b814-9ca3e3ec3769.vbs"
                                                                                    26⤵
                                                                                      PID:1504
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a11dd9-cae8-4f9d-970e-3f569a75999a.vbs"
                                                                                  24⤵
                                                                                    PID:1080
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d085139-99b0-4712-a783-7797906660a5.vbs"
                                                                                22⤵
                                                                                  PID:2220
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2627fa4f-d541-46fb-877a-9a70b04b7fe5.vbs"
                                                                              20⤵
                                                                                PID:2440
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f0a07ac-7cc7-422d-b1b8-934afefac1b0.vbs"
                                                                            18⤵
                                                                              PID:2108
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ddce6bb-633c-49a0-baf6-510e9aa6d729.vbs"
                                                                          16⤵
                                                                            PID:484
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3297548-a8f4-4875-8fc1-362465cdbcac.vbs"
                                                                        14⤵
                                                                          PID:1800
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d97d438-9e60-4465-b438-390ce9b614b8.vbs"
                                                                      12⤵
                                                                        PID:3060
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ac1b5e-1d4c-45fd-986f-136b9951809a.vbs"
                                                                    10⤵
                                                                      PID:2052
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4bc378b-678a-4ee0-8826-6b292d37a714.vbs"
                                                                  8⤵
                                                                    PID:2900
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a3c98e-2b1f-4142-acb0-96f19afcaaac.vbs"
                                                                6⤵
                                                                  PID:2648
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\466efd95-f006-4848-bbaa-281cded59da6.vbs"
                                                              4⤵
                                                                PID:880
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2552
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2748
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2692
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\lsm.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2520
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Help\OEM\lsm.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2580
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\lsm.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2196
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2340
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3016
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2768
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\CSC\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2760
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\CSC\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2880
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\CSC\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2876
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3024
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:3020
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:316
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1724
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2028
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1564
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\es-ES\Idle.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1984
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2576
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1420
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\Idle.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1188
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1340
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2232
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2052
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2616
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2896
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\dllhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2952
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2088
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2060
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:484
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1080
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1548
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1824
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1788
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:2044
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:468
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:688
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Creates scheduled task(s)
                                                          PID:1532

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe

                                                          Filesize

                                                          2.9MB

                                                          MD5

                                                          6a9aaa3fc23d1561df97e3f9eb2de110

                                                          SHA1

                                                          d0effad0bad292fb0bcb377cbafacd8db83a474e

                                                          SHA256

                                                          9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565

                                                          SHA512

                                                          7350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c

                                                        • C:\Users\Admin\AppData\Local\Temp\1144ab3c-b35d-41f5-b82d-b7e715f57d14.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          57cbccde450509c6ab09c5d3b1199d8a

                                                          SHA1

                                                          3e9ac7caeb054a8ece0b066fd8599e96fff607cb

                                                          SHA256

                                                          5e829a39874046829407ac06056eabbd1da31aabbd9e0b9af94f7256c58e31cf

                                                          SHA512

                                                          e8c58f70b53baa4374fbeaa57060c16041e065d5cdcf7614a741377281ae27ce2e9879ebb460e1cfbe0e2bf0bbfe77960d61c3cae3425b24d7941ac514aa00da

                                                        • C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat

                                                          Filesize

                                                          212B

                                                          MD5

                                                          4cee3ee745316361d33736371fae099d

                                                          SHA1

                                                          189c9b3a489a4be6f073d8dd9f63793521083ef0

                                                          SHA256

                                                          881f602be8eff02d6088ff59c4f446f8dbee2e1314b340761054d5d3ca120cfe

                                                          SHA512

                                                          142b43bc4958d3f8b716d54052a3e9ea82b26b7d44bc9f6029fcc4f55fda89b0af653682c109227b249d57fe80cf8a4cb068fff01bf8319e65d239f6e8219aa5

                                                        • C:\Users\Admin\AppData\Local\Temp\466efd95-f006-4848-bbaa-281cded59da6.vbs

                                                          Filesize

                                                          499B

                                                          MD5

                                                          d279ffeddb672c0574d50fd0603b352c

                                                          SHA1

                                                          7e30272da64301c8143262cec0b05efd35c19fb8

                                                          SHA256

                                                          fa6403f7d4faacc86308a9f6bcf34383bcd94a1e57c39c9e48fd0086d0454e49

                                                          SHA512

                                                          dc38dd5b1f5082b433dcf48769372a163fd4aae56706e22a73b5f2dc880f57839cf1987eba5ad688cd46784ad731d1b996fa4639035240e61292a9de687f9909

                                                        • C:\Users\Admin\AppData\Local\Temp\49826c25-5c99-4bc1-aa3f-4a738c1ab5e2.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          9c14c796aaaa7a71c730e5faa3597e48

                                                          SHA1

                                                          2c3cee02bd3caa7ba8b504a399132036d6abc41e

                                                          SHA256

                                                          869146406fdac76f9f31814d24e2a15306602b95faf517cd834df61fedd7aa39

                                                          SHA512

                                                          a404169f5f92895834c452486fca2fe5e99531471de9021d57d48212daa04400630c02b5cdd0f8aa8bcabe77a71d9d4de2b5e728b7bb64ca4ecf1242400fb992

                                                        • C:\Users\Admin\AppData\Local\Temp\49a39565-ba88-4436-99d1-f3fdd6b76258.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          f83fd66632482cc8837f21f1260c2a9c

                                                          SHA1

                                                          5b398cb7b34313833d88512716b87fc715d6deb7

                                                          SHA256

                                                          213fea3636a3f4cb18bf4e7deefa055bbd7128f778a039ae18b4286aa57d69eb

                                                          SHA512

                                                          a09500ff85e331ed5762d7e864e70dca372c1986f10c92874f48f8fbee5c72178915eb863dbf5f568f27af364600a899bad59f64c454d85db0845ffc7c842966

                                                        • C:\Users\Admin\AppData\Local\Temp\4bbdc585-da7f-4571-9fac-1cb196e7f7f4.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          23f71b5f3305a97992dc772954807b17

                                                          SHA1

                                                          5106448da55a9536568fc14064e621c27dc47fe1

                                                          SHA256

                                                          271361ce5b08262507403455f2be075341f12954edf5242c7cd4dbcab15cabdc

                                                          SHA512

                                                          ceb87fea61c4406468099795a7449f5f1a8f30e235d1570443519559c9b4c81d9b0be86845fa9c9f6031066469e29e776aedfddc801fb08dbabb36a7ebb15413

                                                        • C:\Users\Admin\AppData\Local\Temp\54e22a20-532b-4fa5-a601-e7966162b9dc.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          c364b4d79b175b8b44d50420aacd5b50

                                                          SHA1

                                                          1743da052c0588f5e93e42cce8b2e2e36c298d4e

                                                          SHA256

                                                          aeb2531a45d7c56c3ab2bab367cd58e337fcab93fa5d49fc0aee175b69d00c14

                                                          SHA512

                                                          ed03307cd18cc985ab002d9004273e4c143a4e4921d28f968fcff2d78c7df3f3371ad63994bb6b49eb09ac8f20afe64cca4ded60e99ec4187e42cb8f0f853336

                                                        • C:\Users\Admin\AppData\Local\Temp\6343f0ad-b255-429d-b213-78c192783808.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          b79027b0a0bf5b17a7e15b95f056d73a

                                                          SHA1

                                                          c659609f22f2610854bed6a84500e61012e4537f

                                                          SHA256

                                                          e63d7237f0ca2aa52dd99a7b424b01caf641a7547c0bd993cb512bd0342a0211

                                                          SHA512

                                                          f7c6afed874444b2a7cb8dc21c5a5221905e5a5bc30a1f54eb12f838f7e8f862f5869895c06b491540234d066537afc51fd4d112080c1585ae0424b3deceb8ca

                                                        • C:\Users\Admin\AppData\Local\Temp\80d6d7fb-e896-49a5-811a-a4e7dd703909.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          9aca1ae2c4da37692ef932d77cbe1cd4

                                                          SHA1

                                                          adc19a474ccbf5d684b4d40a0aad6f277daa770b

                                                          SHA256

                                                          8394f54db95eceb863e6b064ec383b6af6dfc3c9e2ba573c83344740c87961d9

                                                          SHA512

                                                          22211aebe13205814abe45b6e384acfd349c5552c73d6b85de7274a6354be74c438f9ac4134444a8c0fcf5b246a6ea4b2dd3f88c947ec323185e75478cb54407

                                                        • C:\Users\Admin\AppData\Local\Temp\a07731de-3150-4c5a-bade-fdb118f8f4da.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          60c81da70dca8a46ccbc7a7b6b742179

                                                          SHA1

                                                          1e87b8fe172be8b0967243a92c9bfa4cb8149d90

                                                          SHA256

                                                          8e2ae07b1a1faa45503db9980c0293e86aabd7d0d231f1b557445b82a2a06fc8

                                                          SHA512

                                                          2270a70595d3445dad2ee07ee2772e90cc727a4df3b1deb744e7bada360a7d39eee1b81e65065b04d2f2b738f9f699c99e9483d32fc44c551bfe0a49a618a899

                                                        • C:\Users\Admin\AppData\Local\Temp\a9be8320-80fa-4dc0-99a4-dfa97402f70f.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          97f9bf57867013cb6778c85684b0f45f

                                                          SHA1

                                                          954cdf489203c6765127ad729d3f711d2fb9acc4

                                                          SHA256

                                                          08cd93e0a3881df5123d50da9d398a5317fb66d560ab45ae6b1cbfabe3ad0021

                                                          SHA512

                                                          1b150acc9d029f1b517def6a7a3714638b3217798dea0f5fa4092996ccf00f199415f93ba96a6291df957e0dc1dd91ec6295e5e928582f642fc4b6f20820dab9

                                                        • C:\Users\Admin\AppData\Local\Temp\ab9cc3c9-0286-43f6-beb3-dc9eb48f02b6.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          3dba91318ab6b4edadddaeb4b6afbf9b

                                                          SHA1

                                                          911aa03677b68032e72a5e6aa6e4c41d737d7988

                                                          SHA256

                                                          9e06037f15528beabedd5b19cdf2081ab500688614bce1a2ac98ce6705fdeafc

                                                          SHA512

                                                          e94126c2aade4943abda820dc61d6bf4b5b24d1893f6b75b2333d97aa3eb4de32ba118020ff3b75d7fab67bc0b1351ddae3f681cbc48f89cae8eafc646a6b21d

                                                        • C:\Users\Admin\AppData\Local\Temp\c3329b7e-3343-4468-87e9-32c0397bd0bc.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          eceb5c103f395835002b77f022abd363

                                                          SHA1

                                                          3adac56971ecc3f5b36d1e9fd59911a34a65d063

                                                          SHA256

                                                          f9291020956e02b71888b7e5b3f18d8a42ba3855de918b9f2a7d3f4aaac03840

                                                          SHA512

                                                          0d70724d96754ed93de42ef65c47a2e988e64ba57527f83d36fa57c9c0b0512bc87b6558841b846f7605f81b9493e696f0e46c1cf7dbb32d0617cecda8bebcee

                                                        • C:\Users\Admin\AppData\Local\Temp\cd28b351-d58b-4743-95cd-b85d6e0bc30d.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          63d03fd8ec4ebba8c937ec34cabdea8e

                                                          SHA1

                                                          3379279e93bbd2beff77b599437343f046905c5f

                                                          SHA256

                                                          da1c497968b43920141acb9ecbe72eeb5d304de585db2ecb24058d06d2871442

                                                          SHA512

                                                          f004a76135b3186376cc766fd99248d7831c974bc2367d72bfb48d07be7f5b0b589c5af40cc05e95bc2618f9372800e666a9af64ef535c3e6ab221beac14c911

                                                        • C:\Users\Admin\AppData\Local\Temp\e29a1080-1ed8-4f23-a275-d0f29b93cf5c.vbs

                                                          Filesize

                                                          723B

                                                          MD5

                                                          17558f8fc91934b0855dde2ee53a1b33

                                                          SHA1

                                                          07d0004c9e010e4f51f3f90fd06743b9e0002d11

                                                          SHA256

                                                          fa081074d0e5d0813fff17302feec10cb97c0330e90abc01d55475a66fb646b2

                                                          SHA512

                                                          2b497c895a9124f62c0bcc9c877e8db646830186744bc0681e2cd23ae4e87aa0ff8ef5b7682adcabcacd8379ac28a7fa3049e613d6ce5b1e9aeb5b84e886d165

                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                          Filesize

                                                          7KB

                                                          MD5

                                                          29cc22c9bc4b490cadc2c8f53fbeba1c

                                                          SHA1

                                                          8084f70d9d3a21e8842bc38ec4f1d8886f574047

                                                          SHA256

                                                          b63901388181cff633d54e92ad2334c8160bae2484fd59c010a9ff72d91ebf27

                                                          SHA512

                                                          59336a701b951fd5ce04d73bf303971d3ed39d786a54a43811ca2bcbba5df947ebacc69abea0e2556dc6ba85ef21ca87880f42f45bc1b59f265fa85d41a5c1f2

                                                        • C:\Windows\Help\OEM\lsm.exe

                                                          Filesize

                                                          2.9MB

                                                          MD5

                                                          e17fb157eae52b5f58b87dad6502a016

                                                          SHA1

                                                          cf2fa3279fb7954d22d217944c92857325937906

                                                          SHA256

                                                          50bb441932784356b8610a513d3d014b5318db54b867e5c6328742bd6baa08d3

                                                          SHA512

                                                          a339bd3bfa9db7ccc3bbd84936bfa161102b4039e047e8c236d67d40784c7153062f6c766a72f80c9e5cfe0848d8e38077c925fb79eb55983e4a0a7f1c9f79d4

                                                        • memory/1520-349-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/1520-348-0x00000000001D0000-0x00000000004B6000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                        • memory/1948-324-0x0000000000A90000-0x0000000000AE6000-memory.dmp

                                                          Filesize

                                                          344KB

                                                        • memory/2116-171-0x000000001B660000-0x000000001B942000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                        • memory/2236-212-0x00000000004E0000-0x0000000000536000-memory.dmp

                                                          Filesize

                                                          344KB

                                                        • memory/2236-211-0x0000000000E30000-0x0000000001116000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                        • memory/2424-13-0x00000000007C0000-0x00000000007C8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/2424-8-0x0000000000720000-0x0000000000728000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/2424-17-0x00000000009A0000-0x00000000009A8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/2424-0-0x000007FEF5613000-0x000007FEF5614000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2424-16-0x00000000007F0000-0x00000000007F8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/2424-151-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

                                                          Filesize

                                                          9.9MB

                                                        • memory/2424-1-0x00000000003C0000-0x00000000006A6000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                        • memory/2424-24-0x0000000000A10000-0x0000000000A1A000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/2424-15-0x00000000007E0000-0x00000000007F2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/2424-23-0x0000000000A00000-0x0000000000A08000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/2424-22-0x00000000009F0000-0x00000000009FC000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/2424-14-0x00000000007D0000-0x00000000007DC000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/2424-18-0x00000000009B0000-0x00000000009BA000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/2424-12-0x00000000007B0000-0x00000000007BC000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/2424-11-0x0000000000760000-0x00000000007B6000-memory.dmp

                                                          Filesize

                                                          344KB

                                                        • memory/2424-10-0x0000000000730000-0x000000000073A000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/2424-9-0x0000000000740000-0x0000000000750000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/2424-25-0x00000000022C0000-0x00000000022CC000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/2424-19-0x00000000009C0000-0x00000000009CE000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/2424-7-0x00000000003B0000-0x00000000003B8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/2424-6-0x0000000000390000-0x00000000003A6000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/2424-20-0x00000000009D0000-0x00000000009D8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/2424-2-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

                                                          Filesize

                                                          9.9MB

                                                        • memory/2424-5-0x0000000000180000-0x0000000000190000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/2424-4-0x0000000000170000-0x0000000000178000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/2424-21-0x00000000009E0000-0x00000000009EE000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/2424-3-0x0000000000150000-0x000000000016C000-memory.dmp

                                                          Filesize

                                                          112KB

                                                        • memory/2492-302-0x0000000000C20000-0x0000000000C76000-memory.dmp

                                                          Filesize

                                                          344KB

                                                        • memory/2492-301-0x0000000001200000-0x00000000014E6000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                        • memory/2504-336-0x00000000007F0000-0x0000000000846000-memory.dmp

                                                          Filesize

                                                          344KB

                                                        • memory/2556-361-0x0000000000CD0000-0x0000000000FB6000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                        • memory/2808-177-0x0000000002800000-0x0000000002808000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/2884-278-0x00000000011B0000-0x0000000001496000-memory.dmp

                                                          Filesize

                                                          2.9MB