Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 01:57

General

  • Target

    78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    78e93535702e2a553d85bac1d4737210

  • SHA1

    572ed789a4da08d6c3cc770b4b49bb6d6a4ea75f

  • SHA256

    b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb

  • SHA512

    ad2ff42ed3569df69618af61d3732744c3aa713816709dbe53b11ee07df97f744acd99c26155485a3dac76a4576592e181e3198bbaad86009de716b72a183baa

  • SSDEEP

    49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 45 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 30 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 27 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3312
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZQqiTadxcN.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:952
        • C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4136
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4380
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4468
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:404
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4556
          • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
            "C:\Recovery\WindowsRE\MoUsoCoreWorker.exe"
            4⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4648
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b173bbe-c155-4fca-a1bc-1348087e4f1e.vbs"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:652
              • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:3092
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa6ae54-1abb-4799-9a1c-a7f6e3815d91.vbs"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2528
                  • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                    C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                    8⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:4132
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9a35882-00d1-49f7-b58c-08b0cbc620f3.vbs"
                      9⤵
                        PID:4920
                        • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                          C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                          10⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:1820
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5894016f-f166-45a4-8001-8353ee8b6aca.vbs"
                            11⤵
                              PID:3528
                              • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                12⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:556
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80421db3-22ba-4217-84b8-0b03f7e86823.vbs"
                                  13⤵
                                    PID:3312
                                    • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                      C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                      14⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:4696
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e499dcae-6725-4353-9a5e-d80028b70d8b.vbs"
                                        15⤵
                                          PID:2088
                                          • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                            C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                            16⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:3148
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58f8aa1a-4943-4f98-b8ac-c8dfc60c3da8.vbs"
                                              17⤵
                                                PID:4056
                                                • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                  C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                  18⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:932
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40610d9d-4d65-42d7-92a2-f88f3562d160.vbs"
                                                    19⤵
                                                      PID:2884
                                                      • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                        C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                        20⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:2992
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b70ae50e-4fef-443b-ac5e-eb6d7d8348af.vbs"
                                                          21⤵
                                                            PID:3028
                                                            • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                              C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                              22⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:3756
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a8b9333-4fd5-40fd-b966-8f38bf7f9fec.vbs"
                                                                23⤵
                                                                  PID:4020
                                                                  • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                                    C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                                    24⤵
                                                                    • UAC bypass
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Modifies registry class
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:4800
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c3fa160-ff4b-4f95-8342-56cb24859c61.vbs"
                                                                      25⤵
                                                                        PID:952
                                                                        • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                                          C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                                          26⤵
                                                                          • UAC bypass
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Modifies registry class
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • System policy modification
                                                                          PID:3208
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a89b5eb4-4336-4e09-8004-26c28cea6710.vbs"
                                                                            27⤵
                                                                              PID:220
                                                                              • C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                                                C:\Recovery\WindowsRE\MoUsoCoreWorker.exe
                                                                                28⤵
                                                                                • UAC bypass
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Checks whether UAC is enabled
                                                                                • Modifies registry class
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                • System policy modification
                                                                                PID:1728
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f8fa3c3-ca8a-4954-8181-9da7983f4cb7.vbs"
                                                                                  29⤵
                                                                                    PID:4540
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a356461c-b10c-42a4-8cc7-d915c6faab5d.vbs"
                                                                                    29⤵
                                                                                      PID:3148
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d2a68a-6a4f-4b9f-a89c-2b7d8979a8f3.vbs"
                                                                                  27⤵
                                                                                    PID:4156
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d8a3fdc-54bf-44b0-82e2-3970ab15554b.vbs"
                                                                                25⤵
                                                                                  PID:3404
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6319cd0-a3a0-493b-b1cc-d1fd1506ea8e.vbs"
                                                                              23⤵
                                                                                PID:2904
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e397b3b3-123b-4999-b3be-40413dbff9ff.vbs"
                                                                            21⤵
                                                                              PID:536
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a7a5be-6277-495a-a4fe-e4b1bb245181.vbs"
                                                                          19⤵
                                                                            PID:1492
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfdc1722-da0f-4ea5-aeec-96fd832e76bd.vbs"
                                                                        17⤵
                                                                          PID:3808
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91d16235-6993-49a6-80db-51ff7f5de65b.vbs"
                                                                      15⤵
                                                                        PID:520
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c19902d6-a0b6-4a37-b4da-3b3035518e07.vbs"
                                                                    13⤵
                                                                      PID:2200
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d404ec8-e41e-439d-9aee-9c6344d69d40.vbs"
                                                                  11⤵
                                                                    PID:3844
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b1a544a-5fe4-4148-b7b9-fb06e4de23db.vbs"
                                                                9⤵
                                                                  PID:4600
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\313132f1-e73f-466b-a08c-01032800b875.vbs"
                                                              7⤵
                                                                PID:2044
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e5372fa-9571-4877-87d7-08cebadf1291.vbs"
                                                            5⤵
                                                              PID:2628
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:2088
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4984
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:840
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:3940
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4252
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:3652
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:3576
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:2928
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:3308
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:2276
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4324
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4372
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4740
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4512
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:1072
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:3176
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4916
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:1528
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:464
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:2172
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:3560
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\upfc.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:348
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\upfc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:2484
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\upfc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:564
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2444
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:2520
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4888
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:3064
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:4580
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4928
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:3684
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:3252
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:1644
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4372
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:2536
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:4064
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4380
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4600
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:1132
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:3360
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:404
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4976
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4692
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:464
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4956
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:1072
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:3708
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:2252
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:548
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2444
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:1244
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4644
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:5068
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:3136
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SppExtComObj.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:3016
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4084
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:1528
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4212
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:1836
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:2520
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:5040
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:1288
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      • Creates scheduled task(s)
                                                      PID:4056
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /f
                                                      1⤵
                                                      • Creates scheduled task(s)
                                                      PID:1260
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Process spawned unexpected child process
                                                      PID:4164
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Creates scheduled task(s)
                                                      PID:2052
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /f
                                                      1⤵
                                                      • Creates scheduled task(s)
                                                      PID:4048
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                        PID:4104
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:1656
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\networklist\icons\sihost.exe'" /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:3576
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\networklist\icons\sihost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:3844
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\networklist\icons\sihost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:2092
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:2908
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:4900
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:3532
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:3464
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:848
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:2088
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                                        1⤵
                                                        • Creates scheduled task(s)
                                                        PID:1880
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                        1⤵
                                                          PID:2884
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Creates scheduled task(s)
                                                          PID:1084

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe

                                                          Filesize

                                                          2.9MB

                                                          MD5

                                                          78e93535702e2a553d85bac1d4737210

                                                          SHA1

                                                          572ed789a4da08d6c3cc770b4b49bb6d6a4ea75f

                                                          SHA256

                                                          b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb

                                                          SHA512

                                                          ad2ff42ed3569df69618af61d3732744c3aa713816709dbe53b11ee07df97f744acd99c26155485a3dac76a4576592e181e3198bbaad86009de716b72a183baa

                                                        • C:\Program Files\VideoLAN\upfc.exe

                                                          Filesize

                                                          2.9MB

                                                          MD5

                                                          2a06e3beeaa835088a964ba57fe2c518

                                                          SHA1

                                                          9ed54ddf7ae1d9ad31fa32e5f930f4c2a3947117

                                                          SHA256

                                                          3c23c634ed615c63f2461ab55425b70293725caf46cd5b8823901feed63efcd6

                                                          SHA512

                                                          45f60e3d02e7c44b96d37b07d186f0e4fb5c84e5d44c73c56408bb9b2ef84cabc2be243cd94cf7129ff09f285cb2a0d2b4becc0bfdcbfd2d03ac7cf0f3e380a3

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe.log

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          bbb951a34b516b66451218a3ec3b0ae1

                                                          SHA1

                                                          7393835a2476ae655916e0a9687eeaba3ee876e9

                                                          SHA256

                                                          eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

                                                          SHA512

                                                          63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MoUsoCoreWorker.exe.log

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          4a667f150a4d1d02f53a9f24d89d53d1

                                                          SHA1

                                                          306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                          SHA256

                                                          414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                          SHA512

                                                          4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                          Filesize

                                                          2KB

                                                          MD5

                                                          d85ba6ff808d9e5444a4b369f5bc2730

                                                          SHA1

                                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                                          SHA256

                                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                          SHA512

                                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          bd5940f08d0be56e65e5f2aaf47c538e

                                                          SHA1

                                                          d7e31b87866e5e383ab5499da64aba50f03e8443

                                                          SHA256

                                                          2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                          SHA512

                                                          c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          2e907f77659a6601fcc408274894da2e

                                                          SHA1

                                                          9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                          SHA256

                                                          385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                          SHA512

                                                          34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          cadef9abd087803c630df65264a6c81c

                                                          SHA1

                                                          babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                          SHA256

                                                          cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                          SHA512

                                                          7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          62623d22bd9e037191765d5083ce16a3

                                                          SHA1

                                                          4a07da6872672f715a4780513d95ed8ddeefd259

                                                          SHA256

                                                          95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                          SHA512

                                                          9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          610B

                                                          MD5

                                                          65b1e267338bca7c1a2a806576540588

                                                          SHA1

                                                          56288ef4ce5f8d08ec0c04526977235cdcc58398

                                                          SHA256

                                                          d9e572e11e82aeaa1234751e49bbd186575575c55e09fad0818e0a2126d28a84

                                                          SHA512

                                                          8bedfda6abcad4581fabdd34bd89be5188c5387e535ff2dc9e34b0aa0667df677789dd283d67160b9f5a885f6a199d82b637d05ca8d3c8ba1380e2d6d7aba152

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          6d42b6da621e8df5674e26b799c8e2aa

                                                          SHA1

                                                          ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                          SHA256

                                                          5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                          SHA512

                                                          53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          2ea91e7d1b473f8290ae52d13e105194

                                                          SHA1

                                                          5e565d99a7733250427e70f5f6e1951a081deed6

                                                          SHA256

                                                          712db2b991a3c11ccd71b36cfe99fad0b5b1eb1026b12d28c35a43334128671a

                                                          SHA512

                                                          0d6e2f0f8963986cb27a5cb853c5a87af5d2b65142ff082b4a12681b467d4a72efbcaea71307513523915aa4f27e7b238c67f4ab563f69525938f38253599424

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          dd0716df5ff6e2ed8bfa08e271d64dd8

                                                          SHA1

                                                          c342bbe936058ea27843d5dbe5eb434f926612f7

                                                          SHA256

                                                          15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

                                                          SHA512

                                                          7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          c9478c9419eff5c6f926498364d8c3a0

                                                          SHA1

                                                          0c68dfdd6106fc85121592d5f00ad2d9b5c888c1

                                                          SHA256

                                                          e5bc3944768915b60045d5d3e72eaeb665497fc815555ac8ec638edcee7b7587

                                                          SHA512

                                                          3267fb9291a2d10fea94199cbe99242516561d602949ce08e1926566955f6f08d2e7145851f4a96656b67a0a1a3c49aa43c9df3a5c6ac6e0b5e22fbd3cb96a11

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          a672fcf7facce635c83caf7b195d0bf8

                                                          SHA1

                                                          fec2f6c2456efe713ba08fa692a4a356f2f37ba8

                                                          SHA256

                                                          71945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c

                                                          SHA512

                                                          12713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          cfecb4e0f846589c2742fd84d6bbd1db

                                                          SHA1

                                                          730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec

                                                          SHA256

                                                          12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa

                                                          SHA512

                                                          669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Filesize

                                                          944B

                                                          MD5

                                                          057e7742b25e65a341d1341da25b54a8

                                                          SHA1

                                                          65c874ac4f429a4172bdf89a73922e39873ecab6

                                                          SHA256

                                                          f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468

                                                          SHA512

                                                          94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

                                                        • C:\Users\Admin\AppData\Local\Temp\40610d9d-4d65-42d7-92a2-f88f3562d160.vbs

                                                          Filesize

                                                          716B

                                                          MD5

                                                          a6811b5da29d9baed168a893c9992ad7

                                                          SHA1

                                                          5f46d69e45011cda7bfc24c592cb9f8bbe984055

                                                          SHA256

                                                          25cd9a1afa92d5fa2ef06912d9f2bdeb051bbab09241b9ec464bf9b1d010e287

                                                          SHA512

                                                          36b6df18f1e8c9488e108eeb7b0abec2f79bd4723d03962562d3b19c1ba7ace0722b4a440364ff3e60d60f14472b2311b56f99c3fdee018a93f9a69ebb53f681

                                                        • C:\Users\Admin\AppData\Local\Temp\5894016f-f166-45a4-8001-8353ee8b6aca.vbs

                                                          Filesize

                                                          717B

                                                          MD5

                                                          52438066d0ffa6fb9784f69701339aba

                                                          SHA1

                                                          e8819ee53fcfef04173e4f81caca5f25fcfc77c6

                                                          SHA256

                                                          728de1dc9508c8eeedf5465acd4f02f5cf6a726fa82229e3689bcff80e4c625c

                                                          SHA512

                                                          f10e52f362f768c510681702a506390a8e1739e075c09955e0380a15003273e5785b7029917c99f2cbe67fce09c629bfeb44c428c4f3e1d640265aa9dc9eb11c

                                                        • C:\Users\Admin\AppData\Local\Temp\58f8aa1a-4943-4f98-b8ac-c8dfc60c3da8.vbs

                                                          Filesize

                                                          717B

                                                          MD5

                                                          e5a0191daa8485d7219bab869c94350d

                                                          SHA1

                                                          e89fbe893169a77c7cf0fd2127fa484d05048939

                                                          SHA256

                                                          87f16eee25b3bf75a30f7391138198b0efbea770600406e57ec5eb00b310828d

                                                          SHA512

                                                          013c8085e98cd899fcdeb5f350d7219f4839850bae866b2dd8fb94c7af6d76041f1f9bbe3d9d20b8930269e2bf5ac36126d1032317cefbe0409a707e2b0419fe

                                                        • C:\Users\Admin\AppData\Local\Temp\5b173bbe-c155-4fca-a1bc-1348087e4f1e.vbs

                                                          Filesize

                                                          717B

                                                          MD5

                                                          08273c754b3c3929ad8a28521aeb250c

                                                          SHA1

                                                          cf63d7a413c563c224e0eafcb025d9d29f5e75e8

                                                          SHA256

                                                          87d26bbafd3e8eea7686200ea297ac226502e796dc191b593f40d09468724939

                                                          SHA512

                                                          62b242642c3e3a12f43a9dbb4847df5b331ec967e5fa65f912f440e40ec3559628e4195011a2d69d300d0312550e4a821eb073e8d67190aff9df375252d7338e

                                                        • C:\Users\Admin\AppData\Local\Temp\5e5372fa-9571-4877-87d7-08cebadf1291.vbs

                                                          Filesize

                                                          493B

                                                          MD5

                                                          742b4b37c6f919194d0e4be1f736cd95

                                                          SHA1

                                                          18a32b01ca91d6f5a8906e44f0bece4c9a147ce5

                                                          SHA256

                                                          eea88b2b7bd81f39403385a468b5b90d9c2b311127e88aef0e877a2cdb8ff01b

                                                          SHA512

                                                          0e8bdbe113fa31c5ca232126e0b37208cf24aa6ae5f93266a82704ddfef9945a14976ccc27e9c4fe1428fbce6495964369bcabcfccb45c9f6d9f4895cd04748e

                                                        • C:\Users\Admin\AppData\Local\Temp\80421db3-22ba-4217-84b8-0b03f7e86823.vbs

                                                          Filesize

                                                          716B

                                                          MD5

                                                          5d6a8da1ae1ad4fc8057c51f4b24c065

                                                          SHA1

                                                          31e81167ed19ad72615b0435c231f9b0021c8c3d

                                                          SHA256

                                                          c5d803be055b37f58b3b3fb7e451779d51ae317f5706de5efcc1a8a8c6074291

                                                          SHA512

                                                          5b4a6e8caadae10d3387cad728c5473374371aa254141ae4e636a5a66e8e3a8b034ce208b98b0b8a2eaab6230ccaa819727a7e08f04a2c9ab7b4329b2db4350f

                                                        • C:\Users\Admin\AppData\Local\Temp\ZQqiTadxcN.bat

                                                          Filesize

                                                          250B

                                                          MD5

                                                          db8a077e7c45e7fa32483d62fda4a1c9

                                                          SHA1

                                                          ebb66bb68ea5d2fca325edb7e3254340ec61a1e4

                                                          SHA256

                                                          dcadd3a9996ceb163e47278267543483ba19c6616e7132118ce76a500d475b3d

                                                          SHA512

                                                          e6f346a71226c19c4aafc0d7c6a2bc88337b480f4317884b53837a9b4d309da9c425e241f70bc961aec7ae656c7711701601ab299752a5d3e368504e3b0ee6cd

                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1qoivwfd.m5b.ps1

                                                          Filesize

                                                          60B

                                                          MD5

                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                          SHA1

                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                          SHA256

                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                          SHA512

                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                        • C:\Users\Admin\AppData\Local\Temp\a9a35882-00d1-49f7-b58c-08b0cbc620f3.vbs

                                                          Filesize

                                                          717B

                                                          MD5

                                                          86f461bfd4c383d8d471c455d2c024a4

                                                          SHA1

                                                          657ce0d65028bc693b15ce05c24345a4fd40164f

                                                          SHA256

                                                          d2d5a81883d9d82081ac6e85efcfaf08af705a8c7186856db938ca597e8d8ee2

                                                          SHA512

                                                          ade6611f6d01569dae9eb5a0c19c7d8a92d3b71a770cdf0eab1d18ca9f79d14fca8577b3d56b33756da97d265c5d5182980e2ccfd908b024302c0d80375c7360

                                                        • C:\Users\Admin\AppData\Local\Temp\b70ae50e-4fef-443b-ac5e-eb6d7d8348af.vbs

                                                          Filesize

                                                          717B

                                                          MD5

                                                          64f6df1b7cc7cde134f9592d5da389f0

                                                          SHA1

                                                          8bae95012a247f8ba89d35675e0bad6c78d10454

                                                          SHA256

                                                          f0b04210b106d1f0c357f60e364d0c094fb97d78b09b2acacd1118f625b7d6e4

                                                          SHA512

                                                          38677db1c5d80d03bf285a61db55ebd3eeddebb08acd56f848916b6d36bb3295a6852d5a732e47208665c834e8979691f915db2aed62a9ebf2231b48ebd29189

                                                        • C:\Users\Admin\AppData\Local\Temp\dfa6ae54-1abb-4799-9a1c-a7f6e3815d91.vbs

                                                          Filesize

                                                          717B

                                                          MD5

                                                          32ede7cbdb2a1c5e6526f793a9298af0

                                                          SHA1

                                                          8fcae9cb3bd7910c5dc49415128b748993922fa2

                                                          SHA256

                                                          4e89ccb358667c819967cf15d19c610d98bb004055be167a78088afd560c919b

                                                          SHA512

                                                          2dd4d0cb712fe66eadb210fd5b92707245187804ebfca3ebe8da2e47a8c2fb11b139fbc4f9b048d93d2351fa111ec926ee233bb81c43b21a8bf00816ea728b4f

                                                        • C:\Users\Admin\AppData\Local\Temp\e499dcae-6725-4353-9a5e-d80028b70d8b.vbs

                                                          Filesize

                                                          717B

                                                          MD5

                                                          67c2904ab64c826ff200a1df6e90a7d1

                                                          SHA1

                                                          979e541f24b7b2b88df4281fd31f1c53430e7742

                                                          SHA256

                                                          e7909a47ec3a2de120629ba145499c470efd8c6a8b4f2dceefd40530aefa9a68

                                                          SHA512

                                                          4e4022fa183e3cb0f460d84524ff0f96bd700b165d83230d3b2e296e1d74a31d23f30e1cacd23d0b67f1e2615523ab3bfac7da2d0c974b2d82cbb8b81480b222

                                                        • memory/932-574-0x0000000002A10000-0x0000000002A22000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/1956-16-0x000000001B770000-0x000000001B782000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/1956-14-0x000000001B750000-0x000000001B758000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/1956-1-0x0000000000100000-0x00000000003E6000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                        • memory/1956-27-0x000000001B830000-0x000000001B83C000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/1956-26-0x000000001B820000-0x000000001B82A000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/1956-25-0x000000001B810000-0x000000001B818000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/1956-24-0x000000001B800000-0x000000001B80C000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/1956-18-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/1956-19-0x000000001B7B0000-0x000000001B7B8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/1956-20-0x000000001B7C0000-0x000000001B7CA000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/1956-21-0x000000001B7D0000-0x000000001B7DE000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/1956-22-0x000000001B7E0000-0x000000001B7E8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/1956-23-0x000000001B7F0000-0x000000001B7FE000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/1956-17-0x000000001BCD0000-0x000000001C1F8000-memory.dmp

                                                          Filesize

                                                          5.2MB

                                                        • memory/1956-0-0x00007FFCFEE13000-0x00007FFCFEE15000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/1956-15-0x000000001B760000-0x000000001B76C000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/1956-2-0x00007FFCFEE10000-0x00007FFCFF8D1000-memory.dmp

                                                          Filesize

                                                          10.8MB

                                                        • memory/1956-124-0x00007FFCFEE10000-0x00007FFCFF8D1000-memory.dmp

                                                          Filesize

                                                          10.8MB

                                                        • memory/1956-13-0x000000001B740000-0x000000001B74C000-memory.dmp

                                                          Filesize

                                                          48KB

                                                        • memory/1956-12-0x000000001B6F0000-0x000000001B746000-memory.dmp

                                                          Filesize

                                                          344KB

                                                        • memory/1956-11-0x000000001B6E0000-0x000000001B6EA000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/1956-4-0x000000001B690000-0x000000001B6E0000-memory.dmp

                                                          Filesize

                                                          320KB

                                                        • memory/1956-3-0x00000000024F0000-0x000000000250C000-memory.dmp

                                                          Filesize

                                                          112KB

                                                        • memory/1956-9-0x000000001B050000-0x000000001B058000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/1956-6-0x000000001B010000-0x000000001B020000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/1956-10-0x000000001B070000-0x000000001B080000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/1956-8-0x000000001B040000-0x000000001B048000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/1956-7-0x000000001B020000-0x000000001B036000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/1956-5-0x000000001B000000-0x000000001B008000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/3092-506-0x000000001B020000-0x000000001B076000-memory.dmp

                                                          Filesize

                                                          344KB

                                                        • memory/3208-612-0x000000001BEC0000-0x000000001BF16000-memory.dmp

                                                          Filesize

                                                          344KB

                                                        • memory/3756-130-0x000001F97CBD0000-0x000001F97CBF2000-memory.dmp

                                                          Filesize

                                                          136KB

                                                        • memory/4132-518-0x000000001B280000-0x000000001B292000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/4648-489-0x000000001BBB0000-0x000000001BBC2000-memory.dmp

                                                          Filesize

                                                          72KB