Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 01:57

General

  • Target

    78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    78e93535702e2a553d85bac1d4737210

  • SHA1

    572ed789a4da08d6c3cc770b4b49bb6d6a4ea75f

  • SHA256

    b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb

  • SHA512

    ad2ff42ed3569df69618af61d3732744c3aa713816709dbe53b11ee07df97f744acd99c26155485a3dac76a4576592e181e3198bbaad86009de716b72a183baa

  • SSDEEP

    49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
  • Drops file in Program Files directory 24 IoCs
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2444
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YD2Vui68H4.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2196
        • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
          "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2844
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb0bdaa7-9959-44b3-b275-374c23ad3dbc.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2924
            • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
              "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1804
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\253cfe41-456b-4717-828b-437aed799842.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2284
                • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
                  "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:988
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a51755b3-c6df-49e0-84af-fe8af15f789c.vbs"
                    8⤵
                      PID:1736
                      • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
                        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2376
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8f0c640-1635-45c6-9063-0d28594d2599.vbs"
                          10⤵
                            PID:1948
                            • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
                              "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:2008
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dd08480-8628-4cee-9175-699b2c66e957.vbs"
                                12⤵
                                  PID:2792
                                  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
                                    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1400
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9251f47c-65a6-4c9d-a482-2abb570dde81.vbs"
                                      14⤵
                                        PID:1028
                                        • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
                                          "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:1616
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c46e484-0032-424b-92cf-c0b0f37b9fc9.vbs"
                                            16⤵
                                              PID:1700
                                              • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
                                                "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:1808
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b73624-ddb4-4c31-8677-d0856c66f541.vbs"
                                                  18⤵
                                                    PID:1096
                                                    • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
                                                      "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
                                                      19⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:1952
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8697ec9-b9e3-439a-8b53-dbb4966a7231.vbs"
                                                        20⤵
                                                          PID:588
                                                          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
                                                            "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
                                                            21⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:272
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7f26326-349f-4229-b1e3-0ad737bc2fcc.vbs"
                                                              22⤵
                                                                PID:2388
                                                                • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
                                                                  "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:1524
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7daee9d-82b9-4f22-a005-16c8163551ed.vbs"
                                                                    24⤵
                                                                      PID:1636
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\734fcb3a-0633-4c18-8dbb-faf65501af97.vbs"
                                                                      24⤵
                                                                        PID:932
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5461f44-f0e2-41e9-a039-50115ad6a6e3.vbs"
                                                                    22⤵
                                                                      PID:2772
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f86e840-b08f-466c-aaa5-cd3b2caafc51.vbs"
                                                                  20⤵
                                                                    PID:2980
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08597b29-db66-4aa1-b040-ee44b0a0b9c0.vbs"
                                                                18⤵
                                                                  PID:2948
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\363490ec-67ae-4630-acb1-1fd1655d4903.vbs"
                                                              16⤵
                                                                PID:988
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ff150a1-e436-4a07-aee7-fe560b0c5d25.vbs"
                                                            14⤵
                                                              PID:1760
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b37cde5-6c51-43c0-aebf-5e27ad6daf7f.vbs"
                                                          12⤵
                                                            PID:1928
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\958268e6-247d-499a-80f9-17f84dedb9b3.vbs"
                                                        10⤵
                                                          PID:1036
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf1c885f-f97d-46b0-8fdc-447da0d21c07.vbs"
                                                      8⤵
                                                        PID:888
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f7105e9-eb91-440a-b555-39f520978e6d.vbs"
                                                    6⤵
                                                      PID:2188
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82436d53-5309-40f3-ac36-a474d00d2904.vbs"
                                                  4⤵
                                                    PID:2912
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2608
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2480
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2708
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2680
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2444
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2464
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2224
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:800
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2768
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2704
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2784
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3064
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1536
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:612
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\security\templates\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:764
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\templates\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\security\templates\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1968
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2396
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2328
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2732
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:300
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1340
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1332
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2052
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2124
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1980
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2428
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2288
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1736
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:696
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1028
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:712
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3044
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2276
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1860
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:284
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:412
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2196
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:784
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1544
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1820
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1636
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1252
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:328
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2148
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1872
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1692
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:796
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1672
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:988
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:872
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1712

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RCX3CC2.tmp

                                              Filesize

                                              2.9MB

                                              MD5

                                              20031fc68f0287c5c554218150f79ff9

                                              SHA1

                                              cede0659c8d1c8eb7b655c81a0d61a51cf00a002

                                              SHA256

                                              b420d44742a0ab56d0385b0c546d40f5e3038c19f3cde5621969c75709e60562

                                              SHA512

                                              09fac858adeb33fcbced8e81d4469879fc56124e84bafbb2bae855f75dbdb453f7c03645c10ffc1a8fc774a7fa66a6151e575eec08d82ffa55202dfdbc492452

                                            • C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

                                              Filesize

                                              2.9MB

                                              MD5

                                              78e93535702e2a553d85bac1d4737210

                                              SHA1

                                              572ed789a4da08d6c3cc770b4b49bb6d6a4ea75f

                                              SHA256

                                              b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb

                                              SHA512

                                              ad2ff42ed3569df69618af61d3732744c3aa713816709dbe53b11ee07df97f744acd99c26155485a3dac76a4576592e181e3198bbaad86009de716b72a183baa

                                            • C:\Users\Admin\AppData\Local\Temp\0c46e484-0032-424b-92cf-c0b0f37b9fc9.vbs

                                              Filesize

                                              747B

                                              MD5

                                              154819491185874064c767d305e2eab4

                                              SHA1

                                              fca4bedf5e7b6698c45c3773676a6d915da28c3b

                                              SHA256

                                              9ce4378ecfd00b3baaba3d624b01eee1fe27b84208844842d4c8d697bc4bfb2a

                                              SHA512

                                              2fcb19db7f62b522dda634fcb24ac6c62b671a58f48d3c9d01feec1a97021156690e4084db8c655db67335afdf0f0c8f363bfebf0baccd36c55b387242e4a30b

                                            • C:\Users\Admin\AppData\Local\Temp\253cfe41-456b-4717-828b-437aed799842.vbs

                                              Filesize

                                              747B

                                              MD5

                                              084bda8846a94ddeef39f7b26f144eff

                                              SHA1

                                              b964d0737e9fd47f4d7b5178b9771097fc2c0f35

                                              SHA256

                                              29a152012198221e85069de7c6f8ce93520b7c982305c0f5b36cc3d09bc0b11a

                                              SHA512

                                              6e12c0402fd2193f2813161fb0caa2c2599086f2f2d1b887ace7d8446857549dd3318f9113ee477f59d8168266f52b6a2cee6b1b32622ef8e77c02dc33a5ea6d

                                            • C:\Users\Admin\AppData\Local\Temp\2dd08480-8628-4cee-9175-699b2c66e957.vbs

                                              Filesize

                                              747B

                                              MD5

                                              dea094c89327c1a808c6b03204fec474

                                              SHA1

                                              3e571b0c5b4902768f4b3284f67cb5183b592e8e

                                              SHA256

                                              066716605382ea79189b55f7cce2a499b71db683f94507cde0ebb338f0661d59

                                              SHA512

                                              ec25f852aead5c86c5ef699708887411d1ec18ceacb06ddee930dc49074339b1b45018e29302587f4e66f6312c5401b9a9578252d7297d24ce9540e46c3f5799

                                            • C:\Users\Admin\AppData\Local\Temp\82436d53-5309-40f3-ac36-a474d00d2904.vbs

                                              Filesize

                                              523B

                                              MD5

                                              723ab8a3ff7d35ef61be780666977299

                                              SHA1

                                              cbfd0b1f2af3d8b3c58d8ccc9c9ded007730f362

                                              SHA256

                                              5af77708f82c7dba36f6ea946165df1e338d6e1583f1e2514773b37b37919740

                                              SHA512

                                              bfa61488798ab0e14a24bc692261e3950ae9c369529c12be20c5ca7bc19084654026f8c46342c929aa74d9077b2e44a49b6b2eb20ee18ad846476f58c4b11355

                                            • C:\Users\Admin\AppData\Local\Temp\9251f47c-65a6-4c9d-a482-2abb570dde81.vbs

                                              Filesize

                                              747B

                                              MD5

                                              749ff186579355df3cdbfb661e2274b1

                                              SHA1

                                              b3ddc957afa29e3f4f1e3e6afc2e0a184643624b

                                              SHA256

                                              9867401ac07a54391e088079f1e2818b527fa674ad2c75df993e39a4fa63febe

                                              SHA512

                                              27f2960818ea6a64ec2744f61dfe87ae3e61efef905ec1ef190414428a5ac2b2a9e4415bba9cad67acc5d12debfa892c3543374c6ce55d96acfd4d0a1ec3c7b6

                                            • C:\Users\Admin\AppData\Local\Temp\YD2Vui68H4.bat

                                              Filesize

                                              236B

                                              MD5

                                              d2ce7ce9a8e2ab1c085033f49ce8015c

                                              SHA1

                                              e9878170b38faec1c3efc484d29bc3716a571d0d

                                              SHA256

                                              3f8bc9b4d859cc0b2a603b0a23a37298404f40345b83efd244bf232d8255ee08

                                              SHA512

                                              60cc2fc0204061fcf87e4fb21c3ab2b9a1a67bac44ea06981c92c28239c4da11c6b63a92f625e3fb555c3ceeaedde1fbb52759f0c8d7ad1c0557df1e1468f1f9

                                            • C:\Users\Admin\AppData\Local\Temp\a51755b3-c6df-49e0-84af-fe8af15f789c.vbs

                                              Filesize

                                              746B

                                              MD5

                                              65ccb9147cc9900deaa2a69505bc49b7

                                              SHA1

                                              39dc7e382672396387fe948d483cbd610952eb42

                                              SHA256

                                              9cabc068ba637f4fa74527f02fdd2e200ac59d60fd8852531460893e8c0e38ee

                                              SHA512

                                              6d46cfa2a282a3d8e98d6ae39f340652be04bd076afe21bda665afa33642ee1429ed7eb5924bbf928a9bb77601a08b5611e5a98a5813818efcb6085fe247d03e

                                            • C:\Users\Admin\AppData\Local\Temp\a7f26326-349f-4229-b1e3-0ad737bc2fcc.vbs

                                              Filesize

                                              746B

                                              MD5

                                              e29ab1a66e95b15de4f3fab6241ad19c

                                              SHA1

                                              2c1ba3bfd234c03db393761947bf59c7c8891d86

                                              SHA256

                                              1c99f002f265f28c19fd2d1eb6573fdb0c05b0163ab537c29cd9827ad7f51217

                                              SHA512

                                              e812b972ff0cc24c47742b9193c64e6f25c465e03d08f4adc0b68c11a06337c2a9e8b16903ccf816dff4479c4f38ce1dbd8fc627f648ec19d611bc240e5190eb

                                            • C:\Users\Admin\AppData\Local\Temp\b8f0c640-1635-45c6-9063-0d28594d2599.vbs

                                              Filesize

                                              747B

                                              MD5

                                              9abd9041435a9a1662da5781f087544c

                                              SHA1

                                              440457fb568926a0466cdd02740d42df41dd2c4a

                                              SHA256

                                              b277f2c28447a162d33d25f98dc1c346af688192cc450aa163b9fd3b3e1f6953

                                              SHA512

                                              99103fbaebb22e79b5b28297fed2ea8fb9c4294531f92afa00399e98a257d90de6afe2339c1381e5b1773b67b24d1188f8e30203c049b689215530b2ad5f5db9

                                            • C:\Users\Admin\AppData\Local\Temp\e4b73624-ddb4-4c31-8677-d0856c66f541.vbs

                                              Filesize

                                              747B

                                              MD5

                                              bbe489cf2fb9fd19825a267868cd4837

                                              SHA1

                                              50827a3cf4033385fbe711cbdbd97f2a6a1f05ea

                                              SHA256

                                              243380e433181ab5c8ac8c7221d3ab6aced2290284706aca85ed4c70b599a12b

                                              SHA512

                                              7aa7dc5a3059c012648692867b2745309b0fb99358cb19fca13f7395a648923606e672a112162c5586bd6f39818050ee3d7606ccb166ca120fc7990903f5518f

                                            • C:\Users\Admin\AppData\Local\Temp\e8697ec9-b9e3-439a-8b53-dbb4966a7231.vbs

                                              Filesize

                                              747B

                                              MD5

                                              e203d872550b3edbc19e33c970362f28

                                              SHA1

                                              3439b0a8d615edecc31e9ab21f3a1258ca3129ac

                                              SHA256

                                              1b9c328e94bb75dfce82d5b6eeea722e9f6df75a09951c91c88e1cb6401cb8b2

                                              SHA512

                                              9f990eedec706537f2392337c0c9cc39b88f23d0c9c67f8f4a881712f9171b3b3f22f1f44737572ee6e61b4c36f6c653ce5689b511ecff5d6c9343d73bb42da9

                                            • C:\Users\Admin\AppData\Local\Temp\eb0bdaa7-9959-44b3-b275-374c23ad3dbc.vbs

                                              Filesize

                                              747B

                                              MD5

                                              7935ab7aab8aeeef9cb5017464e1bd26

                                              SHA1

                                              b608350eba8781af1ab45678ffa33f2321db3dc6

                                              SHA256

                                              966def9e0ac621d7f15ce7dd6d7819fcc3be8d3202f564a29d5d6fc17aecdb0f

                                              SHA512

                                              22068df16ca472e96a0c4fa05e8c37f71f71ee8f382c5767b3050cf106ef09d3d7ac3b7bb5ca6eddff1072131cc451aeb3046de239df8aa09b30f39b91ea3812

                                            • C:\Users\Admin\AppData\Local\Temp\f7daee9d-82b9-4f22-a005-16c8163551ed.vbs

                                              Filesize

                                              747B

                                              MD5

                                              56f85821cb29ab7f4699d7dab7210628

                                              SHA1

                                              b4ee699e9619d1cf07f3b031bdd823488d8c555e

                                              SHA256

                                              79f46a7cb87b06faaba0abf9e7263b90c844edf2cc8c994a4118456e20634406

                                              SHA512

                                              50b88774700fbdb4673b1d1f17d9ce8250b995a4fafb985d465410961f58a7f4ce32d3ca3a940887ce95608d07423dd03987478e8606a3af4558e539b5c59ea9

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              2f7e0827bd66c30c0448e0e53ab8e3cd

                                              SHA1

                                              687002a7fef17843fa22ac3fda77cf7fc747dd1c

                                              SHA256

                                              46bb4517067409bf6deef0d56bce94a6dc13e9d6357e70dd84423aa9fbffe4e6

                                              SHA512

                                              76bc6bd81fad46d928cca300d63427b7a65e02f40a4f36e0cd55eb9ea17a34dc108a0dd5e3849ed598eda41e3718aef031d512b947310a430483ed3b5aba7cec

                                            • C:\Users\Admin\Downloads\lsass.exe

                                              Filesize

                                              2.9MB

                                              MD5

                                              9e975e4571f20460374c62ea829340aa

                                              SHA1

                                              25b227e24e881e1cce4369c3c65c3ba607afbbc4

                                              SHA256

                                              77f6112d0389830cb25aab10c52c379a96b5eb410b8588fad32fa9e4e27523b2

                                              SHA512

                                              bcacf613713f7c529179cf9c6ca052bde56a266a162c7d867a7a6866c21c2a2e303940841a03d078dc9b751b6920fbbfc9648af87bff29de3085d42d2953797d

                                            • memory/988-276-0x0000000000300000-0x00000000005E6000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1400-313-0x0000000000DC0000-0x00000000010A6000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1524-373-0x00000000002F0000-0x00000000005D6000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1616-325-0x0000000000130000-0x0000000000416000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1664-14-0x0000000000D80000-0x0000000000D8C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1664-6-0x0000000000480000-0x0000000000496000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/1664-23-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1664-25-0x0000000001000000-0x000000000100C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1664-24-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/1664-21-0x0000000000F80000-0x0000000000F8E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/1664-20-0x0000000000F70000-0x0000000000F78000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1664-19-0x0000000000F60000-0x0000000000F6E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/1664-18-0x0000000000F50000-0x0000000000F5A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/1664-204-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/1664-1-0x0000000001140000-0x0000000001426000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1664-2-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/1664-17-0x0000000000F40000-0x0000000000F48000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1664-3-0x0000000000150000-0x000000000016C000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/1664-16-0x0000000000F30000-0x0000000000F38000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1664-15-0x0000000000F00000-0x0000000000F12000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1664-5-0x0000000000180000-0x0000000000190000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/1664-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1664-13-0x0000000000B10000-0x0000000000B18000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1664-12-0x00000000005F0000-0x00000000005FC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1664-4-0x0000000000170000-0x0000000000178000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1664-22-0x0000000000F90000-0x0000000000F9C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1664-11-0x0000000000D30000-0x0000000000D86000-memory.dmp

                                              Filesize

                                              344KB

                                            • memory/1664-7-0x00000000004A0000-0x00000000004A8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1664-10-0x00000000005C0000-0x00000000005CA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/1664-8-0x00000000005D0000-0x00000000005D8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1664-9-0x00000000005E0000-0x00000000005F0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/1804-264-0x0000000001040000-0x0000000001326000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1808-337-0x00000000009F0000-0x0000000000CD6000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1952-349-0x0000000000ED0000-0x00000000011B6000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1952-350-0x0000000000490000-0x00000000004A2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2008-301-0x0000000000A50000-0x0000000000D36000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2104-193-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2104-198-0x0000000002230000-0x0000000002238000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2376-289-0x00000000022D0000-0x00000000022E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2376-288-0x0000000000230000-0x0000000000516000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2844-253-0x0000000000BA0000-0x0000000000E86000-memory.dmp

                                              Filesize

                                              2.9MB