Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 00:58

General

  • Target

    6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    6a9aaa3fc23d1561df97e3f9eb2de110

  • SHA1

    d0effad0bad292fb0bcb377cbafacd8db83a474e

  • SHA256

    9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565

  • SHA512

    7350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c

  • SSDEEP

    49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 42 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Checks whether UAC is enabled 1 TTPs 28 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2084
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1eVLovZyht.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1380
        • C:\Users\Public\Desktop\SppExtComObj.exe
          "C:\Users\Public\Desktop\SppExtComObj.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1704
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7b638d4-5fd7-4ac3-b40a-cd953d17e58f.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4136
            • C:\Users\Public\Desktop\SppExtComObj.exe
              C:\Users\Public\Desktop\SppExtComObj.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1384
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\867031d9-3c18-4d21-987a-aacad3495529.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1904
                • C:\Users\Public\Desktop\SppExtComObj.exe
                  C:\Users\Public\Desktop\SppExtComObj.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:3288
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4c6de94-e9f3-4cab-a86b-cda169f9474e.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2928
                    • C:\Users\Public\Desktop\SppExtComObj.exe
                      C:\Users\Public\Desktop\SppExtComObj.exe
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3776
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc410e8a-6f72-4d31-a2f8-0587f0818a32.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4716
                        • C:\Users\Public\Desktop\SppExtComObj.exe
                          C:\Users\Public\Desktop\SppExtComObj.exe
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:3408
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f19afa23-5b72-4b35-8c12-968589555f98.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4784
                            • C:\Users\Public\Desktop\SppExtComObj.exe
                              C:\Users\Public\Desktop\SppExtComObj.exe
                              13⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:5000
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56f1c34c-937d-41f2-b542-6e188445a0f6.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1384
                                • C:\Users\Public\Desktop\SppExtComObj.exe
                                  C:\Users\Public\Desktop\SppExtComObj.exe
                                  15⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:3120
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1c06223-4f0e-4374-b106-c2c26ed41918.vbs"
                                    16⤵
                                      PID:3240
                                      • C:\Users\Public\Desktop\SppExtComObj.exe
                                        C:\Users\Public\Desktop\SppExtComObj.exe
                                        17⤵
                                        • UAC bypass
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:3684
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e005aae2-6eb8-4de4-a14a-f77e451453fa.vbs"
                                          18⤵
                                            PID:1076
                                            • C:\Users\Public\Desktop\SppExtComObj.exe
                                              C:\Users\Public\Desktop\SppExtComObj.exe
                                              19⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:3040
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f87e97-7f4d-4087-a731-f2d1dcd041c0.vbs"
                                                20⤵
                                                  PID:1228
                                                  • C:\Users\Public\Desktop\SppExtComObj.exe
                                                    C:\Users\Public\Desktop\SppExtComObj.exe
                                                    21⤵
                                                    • UAC bypass
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:4372
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b30ed35c-1114-4a4b-a00c-84bdf94a1257.vbs"
                                                      22⤵
                                                        PID:212
                                                        • C:\Users\Public\Desktop\SppExtComObj.exe
                                                          C:\Users\Public\Desktop\SppExtComObj.exe
                                                          23⤵
                                                          • UAC bypass
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Modifies registry class
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:2672
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6c47d47-75b7-40fa-985b-463997eece38.vbs"
                                                            24⤵
                                                              PID:1496
                                                              • C:\Users\Public\Desktop\SppExtComObj.exe
                                                                C:\Users\Public\Desktop\SppExtComObj.exe
                                                                25⤵
                                                                • UAC bypass
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Modifies registry class
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • System policy modification
                                                                PID:3800
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07634cb4-1ff0-47e6-94fa-496d320b59df.vbs"
                                                                  26⤵
                                                                    PID:4420
                                                                    • C:\Users\Public\Desktop\SppExtComObj.exe
                                                                      C:\Users\Public\Desktop\SppExtComObj.exe
                                                                      27⤵
                                                                      • UAC bypass
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Checks whether UAC is enabled
                                                                      • Modifies registry class
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • System policy modification
                                                                      PID:4604
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef36fb5e-85ed-439c-a95c-2abb601307f0.vbs"
                                                                        28⤵
                                                                          PID:1632
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7db721d0-cf02-4855-853b-4f3bc8229a91.vbs"
                                                                          28⤵
                                                                            PID:4716
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8320cc67-1b2d-4a06-b65f-254cf1f143c8.vbs"
                                                                        26⤵
                                                                          PID:4284
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f45d6431-ef34-429e-9131-eb400fee206d.vbs"
                                                                      24⤵
                                                                        PID:3652
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a1d8ffe-3da1-4838-b1db-681923ce0094.vbs"
                                                                    22⤵
                                                                      PID:3392
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6748e0eb-3968-4af7-ae19-2310aec5b166.vbs"
                                                                  20⤵
                                                                    PID:2260
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0db83065-d0d7-48f7-b260-f53b52911d8f.vbs"
                                                                18⤵
                                                                  PID:4080
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35db84db-db0d-465d-b4da-e3de513ba0e5.vbs"
                                                              16⤵
                                                                PID:116
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d11dba5-ec05-4476-80d2-eeb70a435eac.vbs"
                                                            14⤵
                                                              PID:380
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31203692-cd40-4d7e-927c-1ce8d80e6cbd.vbs"
                                                          12⤵
                                                            PID:3348
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6abdcbeb-a372-477b-8f54-da3530e6afef.vbs"
                                                        10⤵
                                                          PID:228
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bceecce9-87f2-4b2a-9c0c-4e05f369fa9c.vbs"
                                                      8⤵
                                                        PID:1792
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2026a482-574d-4e98-b261-11b280a3fed3.vbs"
                                                    6⤵
                                                      PID:3280
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d119284-8c4e-4797-8e43-f3f3244f12cd.vbs"
                                                  4⤵
                                                    PID:1784
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1088
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4852
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2080
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:5068
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2136
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:400
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4920
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3400
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4580
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3640
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4124
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3960
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4428
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4544
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:748
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1588
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2856
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1636
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3288
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4896
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4156
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4284
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4000
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1812
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:5016
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3120
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2824
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics6" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4792
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2088
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics6" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1308
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4496
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3468
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1716
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2220
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2148
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2204
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4592
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:4004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3684

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Recovery\WindowsRE\SppExtComObj.exe

                                              Filesize

                                              2.9MB

                                              MD5

                                              58cfbffa0af1c9236549bbaf09bffe18

                                              SHA1

                                              f24b635b342c3d430d1bf17df62baceaa04a1456

                                              SHA256

                                              dae9ec9ec48f22aeeac80182ffe9571cda634bfdb51ae0f7ba093871eb5e472d

                                              SHA512

                                              c438cd19957408cac5c88d1f95d58e521bf3a9ca625c9ca5fd197800a8ca9581908f8b358f2e750de311e2bafffbd4687be51100eaf0bde51028042bd40b0d47

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              4a667f150a4d1d02f53a9f24d89d53d1

                                              SHA1

                                              306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                              SHA256

                                              414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                              SHA512

                                              4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              2KB

                                              MD5

                                              d85ba6ff808d9e5444a4b369f5bc2730

                                              SHA1

                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                              SHA256

                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                              SHA512

                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              4a154efa7af25bb8b94d0d9c7b4f15cd

                                              SHA1

                                              5e0e04103e4eef1bc7ef242b730aed1958f98e1f

                                              SHA256

                                              c216eda372556eb78e680bde247c2fd2085642ee33031905a213c6bec502ccce

                                              SHA512

                                              fc4678133318fe1952947be74e244246336c7faacc9b9ae32336d57b106ec8f044e5db41dd98e8f3a54270ddacab2fc84a66d5d67deeadc3056ea5213bcbbba4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              bd5940f08d0be56e65e5f2aaf47c538e

                                              SHA1

                                              d7e31b87866e5e383ab5499da64aba50f03e8443

                                              SHA256

                                              2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                              SHA512

                                              c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              cadef9abd087803c630df65264a6c81c

                                              SHA1

                                              babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                              SHA256

                                              cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                              SHA512

                                              7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              6d3e9c29fe44e90aae6ed30ccf799ca8

                                              SHA1

                                              c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                              SHA256

                                              2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                              SHA512

                                              60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                            • C:\Users\Admin\AppData\Local\Temp\07634cb4-1ff0-47e6-94fa-496d320b59df.vbs

                                              Filesize

                                              716B

                                              MD5

                                              e74f2a0eda2c8fa14900a4c9d2b391a7

                                              SHA1

                                              ad326baca00fed05388abbd27df53cec02e2f34f

                                              SHA256

                                              d31e92f54b182a30249a00f29d35e1f25a4fb5b7ad0a33a540ac5214e34e5af6

                                              SHA512

                                              22e40d048328baf116e5d466dbd5f58dd7fac663f888dee58fe50d851d8723fa2ccdab6e61c977cbd19edb50c416821e9b6a0791a3a9885151e082182461bf07

                                            • C:\Users\Admin\AppData\Local\Temp\1eVLovZyht.bat

                                              Filesize

                                              205B

                                              MD5

                                              ae030a9d77ff40e28b11ad64afdbdf97

                                              SHA1

                                              bfcced4adf723e7ace2365328582d5e88dc56dd0

                                              SHA256

                                              44edfdb71cb6d02b02164805829e5660b80eb0bdbcdbfe8b7b18ee995e35f0f8

                                              SHA512

                                              ad12b0292f43ab97171166c5f3bdf01ea07eab928c0dbeea52637ef0a239873bf54019b69dc2fa4a892dcb4993573884e96f7e8aa15adf93af779cd5a1061dfd

                                            • C:\Users\Admin\AppData\Local\Temp\56f1c34c-937d-41f2-b542-6e188445a0f6.vbs

                                              Filesize

                                              716B

                                              MD5

                                              5f80dd244750ae9d77296f14c5aa32cd

                                              SHA1

                                              1da76c8406cd851e3104dca8afc8d34180c6fec9

                                              SHA256

                                              f24e91c8a1cb7e255b3dda7ad2b5a79bf8bfbdf899a28a2987976d0857a844b3

                                              SHA512

                                              1a0d03ad65d78a7d965d2135aa41d3c4769fdb4e8fe8a33352a8e8f3102d65e2bcfc045cc971ae4865d2cc885ff344c79f7151f6efe5ac051c24a5d0e110a07c

                                            • C:\Users\Admin\AppData\Local\Temp\80f87e97-7f4d-4087-a731-f2d1dcd041c0.vbs

                                              Filesize

                                              716B

                                              MD5

                                              01d6a0d2f6013409e77b60ed768ead8e

                                              SHA1

                                              6463b2cd80e7e4e541e8202c6f9625245f29ff85

                                              SHA256

                                              528e0f32871bb0b17f17bb9112e6e0427bfe5d00a6ac2661a0437a291a098280

                                              SHA512

                                              4f4a516a266c7af3c9702467b2ed3af22194477266f7cb9c16cff51039c2e36761fa70ef1e68fe2bc2d9d065792e9ff1458dfaaed6bc7e29e26d9c1fe9250c4e

                                            • C:\Users\Admin\AppData\Local\Temp\867031d9-3c18-4d21-987a-aacad3495529.vbs

                                              Filesize

                                              716B

                                              MD5

                                              df127eecf3a4aa43a70c0d795f2b2047

                                              SHA1

                                              f79d32f6343ef009d52e3d6cdba686b1602a6691

                                              SHA256

                                              4db5bd507e4695e1c78d38f7d05e9453b6dac8890ffd75308c366db7dc5a857f

                                              SHA512

                                              d32b18c4b598ddc13c6a9fdcc30647332496066e27e8ebe1bcb3e08a74fa983bd7d0fe92af3230b7e4c113b843e445fb115ec5c2aba274c51594362aa9bfb9ee

                                            • C:\Users\Admin\AppData\Local\Temp\8d119284-8c4e-4797-8e43-f3f3244f12cd.vbs

                                              Filesize

                                              492B

                                              MD5

                                              233fb7bd35a95558de2fe5a22997950f

                                              SHA1

                                              3c697d5b988768f31d827c41a8c3344c3271622e

                                              SHA256

                                              ed8c8b6efe7dff654b7555f043e9b45d8d3187403660e3a759dc67de75509181

                                              SHA512

                                              e8b15093390acc2c885cedee6599ef6e5b28a814f89c9ff7fa376432761d4a44f07284afcde4afbaf0faea5327d524284dc895d5a6091f9c2b17be798ce5aa3c

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbwngwwr.nba.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\AppData\Local\Temp\b30ed35c-1114-4a4b-a00c-84bdf94a1257.vbs

                                              Filesize

                                              716B

                                              MD5

                                              aefc45548b2ad92a160ea58a3f7d5926

                                              SHA1

                                              9db942bce6a67c8276019dde50c5acb6a72ba5df

                                              SHA256

                                              2bff36881d908f1b3fe3739f9321c06487b207faae5974ca5ee9c147cec1bfe8

                                              SHA512

                                              73d3f3a971b9138778e78419deacb6276484c8fd2428c00fc16be43da025187851b06a83e27d45dacf32dda6607ed1a72ed494e41813df30b48d9d8197d4cfec

                                            • C:\Users\Admin\AppData\Local\Temp\b6c47d47-75b7-40fa-985b-463997eece38.vbs

                                              Filesize

                                              716B

                                              MD5

                                              30e010047ed5d53cb9ade01766dc09c9

                                              SHA1

                                              d254619cad92050edf8829c97f48fcf9e02d4d24

                                              SHA256

                                              00c4f467e4668d6a934ec3219e20eb8d5f54b2a0d7888725596739519e7a84fa

                                              SHA512

                                              9a9980134ff145750028a95c99b6f99a26d9c0088e0860ad26640173b37d5690d4de528292718611b20c37149cd37c9ce7583cc31a604281fdda20ce5f9b5635

                                            • C:\Users\Admin\AppData\Local\Temp\c1c06223-4f0e-4374-b106-c2c26ed41918.vbs

                                              Filesize

                                              716B

                                              MD5

                                              e091691c10039e69b06cf1b580cbe2d0

                                              SHA1

                                              2d1d004c5f20453413b94f894005c521cf5d12a0

                                              SHA256

                                              57e45836487c5287693c452369d1383f8684f541a00b09de8d7467fb8b5a29eb

                                              SHA512

                                              77d788872d2df68e760ec732217678333dd0627bb3e1e09f37ea1689a5ee1c556d70d624d655ea79501cd6741ec58ec8126bd93c2f9df82e383f330f74037df0

                                            • C:\Users\Admin\AppData\Local\Temp\c7b638d4-5fd7-4ac3-b40a-cd953d17e58f.vbs

                                              Filesize

                                              716B

                                              MD5

                                              ff352044ac62337fb143b877f57bee46

                                              SHA1

                                              2ed6d6c461477de5aa7562b26ab13830d236e32e

                                              SHA256

                                              b2e91443b5e16bca555399529bd7aef8f95bc27c9f056ce5cf1a3a3960f4f91c

                                              SHA512

                                              ef74d9105e82a8c946f5c34940cc7f64de5a8a6fa11c651a025c99b9785bfe857ab1daa5eb361aa47761c5e987119f4b0875d2b467f6cd7f5a31f2704a625000

                                            • C:\Users\Admin\AppData\Local\Temp\dc410e8a-6f72-4d31-a2f8-0587f0818a32.vbs

                                              Filesize

                                              716B

                                              MD5

                                              11ace1362dcbce73adfe71f62d7776a8

                                              SHA1

                                              29faf41a74e3db8b09c6035f87198861ef81a84c

                                              SHA256

                                              a6238e8b37b2ffd64152cbdad39195f80c49d40a97f16edb63136ef45ace3219

                                              SHA512

                                              10124ceb82264e06d00c0d2540eec25b96ccad8eef6e59c419e03a2360043868aaf6af4acce5d6ef93aa36f509d4c7570c9c19f4c852bcbd9c9967186634c8ba

                                            • C:\Users\Admin\AppData\Local\Temp\e005aae2-6eb8-4de4-a14a-f77e451453fa.vbs

                                              Filesize

                                              716B

                                              MD5

                                              ba9a3042ea9101f89bf1d7c7dd7bf135

                                              SHA1

                                              681f794813cd4f77acdfa72b6e219e3b5e83a817

                                              SHA256

                                              d1a03e54612beb93356efe14db33a01ce89aba71d69dba6b9e3fb9077a4ba4f7

                                              SHA512

                                              9b73b65efb24d6d4f94097444b7c8b6ccdef89d9ebe3f6762ebbc70debe4fe5eb9133fa3993b5ca585232f74f28827c5feb74b44b4d4e80734d83c1a272a2974

                                            • C:\Users\Admin\AppData\Local\Temp\ef36fb5e-85ed-439c-a95c-2abb601307f0.vbs

                                              Filesize

                                              716B

                                              MD5

                                              76bacbf0c2500e5a052c3fc7bdecccf4

                                              SHA1

                                              30b6e8c3e80e585f78bc5dd5d16ac3a35c0f4c4d

                                              SHA256

                                              76ff6246e872cded4cefe2b8242c273264814c19d2a14ef45c25faf81b95edc3

                                              SHA512

                                              cc1699ef947616e20249ba58592414442b5b9b32cc08a15ecc8528ef36aae61e989b2028c5deedb974c3c2a63dd5dc9880754e3f894a56b8f806cc191ebad293

                                            • C:\Users\Admin\AppData\Local\Temp\f19afa23-5b72-4b35-8c12-968589555f98.vbs

                                              Filesize

                                              716B

                                              MD5

                                              621d7767269bfbad5c4a89b6df4743fc

                                              SHA1

                                              ec3992ce710e53e3ce19a238d4513e61051ab467

                                              SHA256

                                              aadce17bb88b813f0c01e006cbbddc180f76923d262a55417450f2496a900747

                                              SHA512

                                              e9067d9f8328da6c38e8e0966c5f0801460fbd97f38f5f9decdd5831856e114e2750ae25d91915cb286fa6c73ee761ee687ff7d95d482c5b996bb2b6057f08e4

                                            • C:\Users\Admin\AppData\Local\Temp\f4c6de94-e9f3-4cab-a86b-cda169f9474e.vbs

                                              Filesize

                                              716B

                                              MD5

                                              02892f91880a5fbce36efb0b5a01e223

                                              SHA1

                                              ac5815053655b90080dac69218900c0409a8398a

                                              SHA256

                                              2a1c323344b4e1e095694d06b3e584226ec0879409229d3b95e026ddd633c9d7

                                              SHA512

                                              cc33ae2206b07dccca14b4589e9c70c5192fd869a45a80be6262f101801292cc681d66991396c0758aa4fbb3557abf70115dac0d8ecf5acc5afd88c540d857f7

                                            • C:\Users\Public\Desktop\SppExtComObj.exe

                                              Filesize

                                              2.9MB

                                              MD5

                                              6a9aaa3fc23d1561df97e3f9eb2de110

                                              SHA1

                                              d0effad0bad292fb0bcb377cbafacd8db83a474e

                                              SHA256

                                              9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565

                                              SHA512

                                              7350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c

                                            • memory/1704-276-0x000000001B200000-0x000000001B212000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3040-366-0x000000001B3B0000-0x000000001B3C2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3044-15-0x000000001B700000-0x000000001B70C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3044-2-0x00007FF9181B0000-0x00007FF918C71000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/3044-0-0x00007FF9181B3000-0x00007FF9181B5000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/3044-19-0x000000001B750000-0x000000001B758000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3044-148-0x00007FF9181B0000-0x00007FF918C71000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/3044-18-0x000000001B740000-0x000000001B748000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3044-13-0x000000001B6E0000-0x000000001B6EC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3044-26-0x000000001B7C0000-0x000000001B7CA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3044-21-0x000000001B770000-0x000000001B77E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/3044-22-0x000000001B780000-0x000000001B788000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3044-23-0x000000001B790000-0x000000001B79E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/3044-17-0x000000001BC70000-0x000000001C198000-memory.dmp

                                              Filesize

                                              5.2MB

                                            • memory/3044-16-0x000000001B710000-0x000000001B722000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3044-27-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3044-1-0x00000000000A0000-0x0000000000386000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/3044-24-0x000000001B7A0000-0x000000001B7AC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3044-20-0x000000001B760000-0x000000001B76A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3044-12-0x000000001B690000-0x000000001B6E6000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/3044-11-0x000000001B680000-0x000000001B68A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3044-10-0x000000001B670000-0x000000001B680000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3044-3-0x000000001AE90000-0x000000001AEAC000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/3044-6-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3044-7-0x000000001B5E0000-0x000000001B5F6000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/3044-14-0x000000001B6F0000-0x000000001B6F8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3044-9-0x000000001B660000-0x000000001B668000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3044-25-0x000000001B7B0000-0x000000001B7B8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3044-8-0x000000001B600000-0x000000001B608000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3044-5-0x000000001B5C0000-0x000000001B5C8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3044-4-0x000000001B610000-0x000000001B660000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/3408-154-0x00000264F5F70000-0x00000264F5F92000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/3684-354-0x000000001BC70000-0x000000001BC82000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4604-411-0x000000001B460000-0x000000001B472000-memory.dmp

                                              Filesize

                                              72KB