Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 05:49

General

  • Target

    a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    a8afc525e8ae9a9c34f01e2efb7fdab0

  • SHA1

    6e519caf5546a9c89e62ec00fc11d78ef2fbfb6d

  • SHA256

    4123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836

  • SHA512

    d0747c7bfba0dff9e8d3d98d4912653006b91ac5bb63493bef05116ba2282d1daeaad2c24958ddb96623172a12bdffa77be014e08537fedde295e90bffd37b4d

  • SSDEEP

    49152:/4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:wDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 51 IoCs
  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 16 IoCs
  • Checks whether UAC is enabled 1 TTPs 34 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ysdVHTnJN0.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2072
        • C:\Users\Default User\explorer.exe
          "C:\Users\Default User\explorer.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2740
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a103a78f-e69e-4984-a98e-02fbdc3036ca.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1324
            • C:\Users\Default User\explorer.exe
              "C:\Users\Default User\explorer.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1912
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f48389c-5fe3-4edb-8897-1f3a2970d12c.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1116
                • C:\Users\Default User\explorer.exe
                  "C:\Users\Default User\explorer.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:900
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2c28514-d9f2-4328-bf7e-ccccb591eb51.vbs"
                    8⤵
                      PID:2720
                      • C:\Users\Default User\explorer.exe
                        "C:\Users\Default User\explorer.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:1356
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\363e9cb1-9fa6-4511-896e-bffa6e147617.vbs"
                          10⤵
                            PID:2372
                            • C:\Users\Default User\explorer.exe
                              "C:\Users\Default User\explorer.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:692
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49b05093-abad-4a08-9315-6f4ba8024643.vbs"
                                12⤵
                                  PID:2512
                                  • C:\Users\Default User\explorer.exe
                                    "C:\Users\Default User\explorer.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1280
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a05d262-3d9e-4444-827e-2fd7e20c2a9e.vbs"
                                      14⤵
                                        PID:528
                                        • C:\Users\Default User\explorer.exe
                                          "C:\Users\Default User\explorer.exe"
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:3036
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66eb1788-9bf1-484a-9680-9b2cd437ade7.vbs"
                                            16⤵
                                              PID:2900
                                              • C:\Users\Default User\explorer.exe
                                                "C:\Users\Default User\explorer.exe"
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:2108
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5856f763-0706-4448-a9a9-7a507254ebdb.vbs"
                                                  18⤵
                                                    PID:1048
                                                    • C:\Users\Default User\explorer.exe
                                                      "C:\Users\Default User\explorer.exe"
                                                      19⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:108
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddd21ad2-deb4-4f54-bc37-d8c5b4cdf663.vbs"
                                                        20⤵
                                                          PID:1780
                                                          • C:\Users\Default User\explorer.exe
                                                            "C:\Users\Default User\explorer.exe"
                                                            21⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:2836
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05c5ecdb-6242-4970-8ff2-216e3ce08404.vbs"
                                                              22⤵
                                                                PID:816
                                                                • C:\Users\Default User\explorer.exe
                                                                  "C:\Users\Default User\explorer.exe"
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:2868
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc4ed6ce-a865-4918-9580-f21e3c8129b7.vbs"
                                                                    24⤵
                                                                      PID:1580
                                                                      • C:\Users\Default User\explorer.exe
                                                                        "C:\Users\Default User\explorer.exe"
                                                                        25⤵
                                                                        • UAC bypass
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:2928
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af619b65-e94e-4518-8fd3-3b38b9aa7901.vbs"
                                                                          26⤵
                                                                            PID:1728
                                                                            • C:\Users\Default User\explorer.exe
                                                                              "C:\Users\Default User\explorer.exe"
                                                                              27⤵
                                                                              • UAC bypass
                                                                              • Executes dropped EXE
                                                                              • Checks whether UAC is enabled
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • System policy modification
                                                                              PID:1476
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20f997a6-e691-449e-b4ab-f54325f1d1a5.vbs"
                                                                                28⤵
                                                                                  PID:1712
                                                                                  • C:\Users\Default User\explorer.exe
                                                                                    "C:\Users\Default User\explorer.exe"
                                                                                    29⤵
                                                                                    • UAC bypass
                                                                                    • Executes dropped EXE
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • System policy modification
                                                                                    PID:2740
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efc3972d-4bc8-4538-a7d7-15111adfb2e6.vbs"
                                                                                      30⤵
                                                                                        PID:920
                                                                                        • C:\Users\Default User\explorer.exe
                                                                                          "C:\Users\Default User\explorer.exe"
                                                                                          31⤵
                                                                                          • UAC bypass
                                                                                          • Executes dropped EXE
                                                                                          • Checks whether UAC is enabled
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • System policy modification
                                                                                          PID:2336
                                                                                          • C:\Windows\System32\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f2ec64b-07d9-40ac-b63d-a60925424799.vbs"
                                                                                            32⤵
                                                                                              PID:2280
                                                                                              • C:\Users\Default User\explorer.exe
                                                                                                "C:\Users\Default User\explorer.exe"
                                                                                                33⤵
                                                                                                • UAC bypass
                                                                                                • Executes dropped EXE
                                                                                                • Checks whether UAC is enabled
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • System policy modification
                                                                                                PID:2968
                                                                                            • C:\Windows\System32\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40b97223-d627-4df8-a0c2-9553b0654e44.vbs"
                                                                                              32⤵
                                                                                                PID:376
                                                                                          • C:\Windows\System32\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f797ed-15b6-4c67-bca6-87a1c538e50b.vbs"
                                                                                            30⤵
                                                                                              PID:2492
                                                                                        • C:\Windows\System32\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b0d352-4272-4049-911b-423f0bed4820.vbs"
                                                                                          28⤵
                                                                                            PID:1048
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\746f13de-eede-4584-84e2-6147e48d5ba7.vbs"
                                                                                        26⤵
                                                                                          PID:2144
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d58e40c2-ec4a-468b-9331-f58b49a88554.vbs"
                                                                                      24⤵
                                                                                        PID:2952
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e71719c5-d0a5-453d-8d12-a7b08c39d2be.vbs"
                                                                                    22⤵
                                                                                      PID:2408
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9579227-adf1-401e-a06c-b6a0db3b9a8f.vbs"
                                                                                  20⤵
                                                                                    PID:2692
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e044797a-682b-4f31-8703-0404eb87f85d.vbs"
                                                                                18⤵
                                                                                  PID:1536
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9653902-85a6-4ec7-a7fb-05181742a7ce.vbs"
                                                                              16⤵
                                                                                PID:792
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0fb2d96-9d6e-4108-9606-48f561a1beb3.vbs"
                                                                            14⤵
                                                                              PID:1200
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c388c0e-ff71-4de1-8956-42a35fcf6e39.vbs"
                                                                          12⤵
                                                                            PID:2172
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9a3003c-2cf5-4c22-94d4-e1af823e26f2.vbs"
                                                                        10⤵
                                                                          PID:2892
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bea4c72-b1dd-4f2b-838b-0ef599d892cc.vbs"
                                                                      8⤵
                                                                        PID:1832
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f46bb77b-488d-47ed-853d-92024bc74635.vbs"
                                                                    6⤵
                                                                      PID:2036
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf32d81-2334-4beb-8790-6d40e34b86f1.vbs"
                                                                  4⤵
                                                                    PID:2184
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2784
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2384
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2516
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2484
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2532
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2748
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2388
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1956
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2800
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2780
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2832
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2020
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2956
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1848
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1256
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\AppPatch64\sppsvc.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1864
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2200
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\AppPatch64\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2188
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:596
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:792
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1000
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\winlogon.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1064
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Fonts\winlogon.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:952
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\winlogon.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:584
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2436
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:760
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:616
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2268
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:3040
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2872
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Music\sppsvc.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2248
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Music\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2656
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2440
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1780
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1144
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1004
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2224
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2424
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:836
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1656
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1992
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1984
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1988
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2000
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:912
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1536
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1740
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:2892
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1664
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:1552
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Process spawned unexpected child process
                                                              • Creates scheduled task(s)
                                                              PID:900

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Program Files (x86)\Windows Portable Devices\dllhost.exe

                                                              Filesize

                                                              2.9MB

                                                              MD5

                                                              a8afc525e8ae9a9c34f01e2efb7fdab0

                                                              SHA1

                                                              6e519caf5546a9c89e62ec00fc11d78ef2fbfb6d

                                                              SHA256

                                                              4123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836

                                                              SHA512

                                                              d0747c7bfba0dff9e8d3d98d4912653006b91ac5bb63493bef05116ba2282d1daeaad2c24958ddb96623172a12bdffa77be014e08537fedde295e90bffd37b4d

                                                            • C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\RCX4A23.tmp

                                                              Filesize

                                                              2.9MB

                                                              MD5

                                                              44436a33067d0a0f891727bc4fb08ae0

                                                              SHA1

                                                              ca94d039b7a3ad474b6a8d8557b89ea8671b553f

                                                              SHA256

                                                              e035aebba4b502bf1a002fcbffb99bcce4ce74f3b8b7bc794977fa36aff01e15

                                                              SHA512

                                                              7f07b35fee3e6594fe327ab1d944ef09f04c2833d8b3b4769e8eff91384dbb580b11eec9515f19a5de303ffda516e90dfe9774bb559fb29dbab2fdf4b018bbfc

                                                            • C:\Users\Admin\AppData\Local\Temp\05c5ecdb-6242-4970-8ff2-216e3ce08404.vbs

                                                              Filesize

                                                              710B

                                                              MD5

                                                              8b6760853264e9b1289ba72b5ac5d262

                                                              SHA1

                                                              3d7369a19ead3c2a6571853cc412cde1cdfd6ad9

                                                              SHA256

                                                              b33e5243c0cf17697d0d0ad3b9e2213dd6f6360f1ddf05129d55d80bec026f90

                                                              SHA512

                                                              1a6fc54f7f2d52a6e1a92a7626f8335965c6a756f26d0bda5e84a105a6a237004f60c4a35c170c87bc86fc206c76aad33cafc129246b11af91251b1b541ba5f7

                                                            • C:\Users\Admin\AppData\Local\Temp\2f48389c-5fe3-4edb-8897-1f3a2970d12c.vbs

                                                              Filesize

                                                              710B

                                                              MD5

                                                              03c0266b5bff2bef60df923994cd9649

                                                              SHA1

                                                              bc644b9ad5a63b8c6ae193fb0775e8b856cbfadb

                                                              SHA256

                                                              e0230ad0251c667d8c7af42f20ebc15b5aaf3a4cbd6bd9add614c1e0d587de27

                                                              SHA512

                                                              b8ae7d6964b5b8deb10b4c670fd3cbbb6d4df2d00d9a76f6065667e551e17e79ea290b5a47a30bdad5d83d08c679cb157297fc82f3327bd828550947597ee72b

                                                            • C:\Users\Admin\AppData\Local\Temp\363e9cb1-9fa6-4511-896e-bffa6e147617.vbs

                                                              Filesize

                                                              710B

                                                              MD5

                                                              77b4f91f849a13506d2863959d7d5271

                                                              SHA1

                                                              9b8eaafd9981d0dd84c4f220c1f6271d72628d3c

                                                              SHA256

                                                              e5b8b1617b5b8ba2ffd82bf4a268f53032999b1ce0482b7a21fb1a8f42df1f3b

                                                              SHA512

                                                              2866ff9551b9163e9ade90f23830cf1cb1b7daa12c953678e5340bd47047f1ed916a48420d52f93d68c7fa1fb6fbe065942b53c6cbf6944514fbadc588c6a785

                                                            • C:\Users\Admin\AppData\Local\Temp\49b05093-abad-4a08-9315-6f4ba8024643.vbs

                                                              Filesize

                                                              709B

                                                              MD5

                                                              dde2c2cd95c9fbf964f53391cce772cd

                                                              SHA1

                                                              1e6db9c34910485cf4ba7d993e517f581c3e28a0

                                                              SHA256

                                                              9dbc6df11da61e79b3ea24f279ba2127da950431dcd677558d3b13cb7e27e34b

                                                              SHA512

                                                              6b2f93fa8e507096923ee99eaf0fe925343dd615b07c649070af68fbc755ad14a2eb027a585e8104ef3df2e789eea8f3c740eeb8393c0e7c5fe5381caf0bdc95

                                                            • C:\Users\Admin\AppData\Local\Temp\5856f763-0706-4448-a9a9-7a507254ebdb.vbs

                                                              Filesize

                                                              710B

                                                              MD5

                                                              c8a3ff7e6889fa4be2cb61fb8c2b3e3c

                                                              SHA1

                                                              db27fa765eb7396a9bc495d1030cb0de26adaf10

                                                              SHA256

                                                              6510fe533cac0b04513d7ec46fde8b01ceb004b011935100837f0e54cfb71e6e

                                                              SHA512

                                                              18345ec505d8fde99771efb90b3468e6b9e71ebd123515adbacda9f1a60f83126577e7312f17560f6c835eb4ddf7c95a01f1b5e6be514cc3f928e957ca2ea672

                                                            • C:\Users\Admin\AppData\Local\Temp\66eb1788-9bf1-484a-9680-9b2cd437ade7.vbs

                                                              Filesize

                                                              710B

                                                              MD5

                                                              436abedf4c75b2b7d1469d6e32a080e6

                                                              SHA1

                                                              cb9c2ff4e88d6bd0e85b05d525ec443a21a5eaf6

                                                              SHA256

                                                              bf248970d9fe707a26c11e4608412c453f84eda7f7ec37dc51e0c709ea794ba0

                                                              SHA512

                                                              6a078f8e73949c3a14ac6e87d6064a785e55ab5232724b229459bbaabaf8a1d7b1c5a044e36069c83d633302af4c96ec7da473894911a8dfb9ce2a11e64295c7

                                                            • C:\Users\Admin\AppData\Local\Temp\7a05d262-3d9e-4444-827e-2fd7e20c2a9e.vbs

                                                              Filesize

                                                              710B

                                                              MD5

                                                              b2a9f21ab75442a9c49709d943909f53

                                                              SHA1

                                                              61cf811310f01e21f7b9e1696f300469edfca865

                                                              SHA256

                                                              c071864763d744838488100cc2b7345d0db41b2c926bd197c46162ee6d6ff1c8

                                                              SHA512

                                                              c2a55d7c4a53fd0053141b9c23ca7fbea8ea79f435c703bc826990a9f339e7a3690ef696371afd8e43ef3d3624a7a78f6f389c2abb4c236c367db90730c44a17

                                                            • C:\Users\Admin\AppData\Local\Temp\a103a78f-e69e-4984-a98e-02fbdc3036ca.vbs

                                                              Filesize

                                                              710B

                                                              MD5

                                                              8211a40ed2336dd1fd9dfbbc27992da8

                                                              SHA1

                                                              92512caa7fd00f14ea86bb69d41701d64f71b685

                                                              SHA256

                                                              85d5519b16cf93d5af2a8001bc8d0ff5024e46bcb1a181a99b184718e535c267

                                                              SHA512

                                                              c45ced917a1a4a1b83793fe1331ada83dae344c715d7ffa1039cc7b57876fed54bb0abdbd669137ce5d68a3ca0b37d5d4f7ec3c017acc180fbcb32b6bfa79590

                                                            • C:\Users\Admin\AppData\Local\Temp\af619b65-e94e-4518-8fd3-3b38b9aa7901.vbs

                                                              Filesize

                                                              710B

                                                              MD5

                                                              833204edc74a46c1b3c31f0162f1bea9

                                                              SHA1

                                                              5d74bb81526a30a74808c2ae4a61244126f23be0

                                                              SHA256

                                                              f619801be262b907e1a2ccf8ce86536599409c13b08fa5d6b8f7d2b7c0ea1c40

                                                              SHA512

                                                              6e52ca5114e68f4417f3249d147a76672118ef8b6ed494234737ee0e2a2d3d0b5a3626c99ed4f73a3dc3346db78e95a09821ece29ca62f775d17e3dd83f21226

                                                            • C:\Users\Admin\AppData\Local\Temp\c2c28514-d9f2-4328-bf7e-ccccb591eb51.vbs

                                                              Filesize

                                                              709B

                                                              MD5

                                                              41ac08dfea8ccfa548aff02b7c894b71

                                                              SHA1

                                                              b38cc1b2a0aa8d84817033a39fdb4d0eb0ae2789

                                                              SHA256

                                                              9eb845b876a14978d6054a77f85b3a9f2baf70ab48cce9b64dabf0917d1d8371

                                                              SHA512

                                                              38916801d169cd21401cf4f00bd5a308ebbee3f347b6665255dd97ae8bfb9b144cfbbaa38c990ec519aae50c9a9bdb3bc8f35503d1bf6366549ee33e842ba7d9

                                                            • C:\Users\Admin\AppData\Local\Temp\cbf32d81-2334-4beb-8790-6d40e34b86f1.vbs

                                                              Filesize

                                                              486B

                                                              MD5

                                                              1c2f36472004060d89caa407f30b543c

                                                              SHA1

                                                              c1cc08c35d5c362880ecfc2ea61f63af19e7128f

                                                              SHA256

                                                              cc493f9fcba742b167d62bb8797d061a3a7ff89cf307724ba1db4e619ee4bc85

                                                              SHA512

                                                              c63bfb9764edf8dcf5f0a0e01e574674f2fd262f58acc5e7f8bf756c4ac934e48eebcac19e1747fed5201833e2ab25cc86c4b454adfdb0618abf22428bd219f6

                                                            • C:\Users\Admin\AppData\Local\Temp\cc4ed6ce-a865-4918-9580-f21e3c8129b7.vbs

                                                              Filesize

                                                              710B

                                                              MD5

                                                              25821d49b304d69d0b8265d0ae9aa653

                                                              SHA1

                                                              1771439b248eb23918800b42ec1df6fd09560cec

                                                              SHA256

                                                              8bca05d98783e7f69de335c2cd445feac3b236549df025f7a29574a6d7cdc0c8

                                                              SHA512

                                                              b335f1cf089c5916c00c9cf6a41291a635686f22b20068c0e2a1d70431d267dec8025af1567a3c166612ac12fd1f0896cdbc89a2c11fc1dd6764386689f440d8

                                                            • C:\Users\Admin\AppData\Local\Temp\ddd21ad2-deb4-4f54-bc37-d8c5b4cdf663.vbs

                                                              Filesize

                                                              709B

                                                              MD5

                                                              360e4511635271df794301ad9e892aef

                                                              SHA1

                                                              6f7ef3c50758d764420087f36fa5db88f9983419

                                                              SHA256

                                                              39124004cc318cdded86a0fec0a825839068787fbb84f3dfb0addaff845a6566

                                                              SHA512

                                                              2ee7ba3f322c8400127959d3362d91c9f73c02071e731cf826bdc2c1cca3b18ae86bb5a99b828512c774c388724048d5c98a75b237aa6e5b4b30874c05d75d8a

                                                            • C:\Users\Admin\AppData\Local\Temp\ysdVHTnJN0.bat

                                                              Filesize

                                                              199B

                                                              MD5

                                                              5e987f294a58b481115f6f419b4fdb0e

                                                              SHA1

                                                              39a56c7c58f94522aa62b371d2a7d16b28bf90cf

                                                              SHA256

                                                              d5bcd09252fd6a9ef309885bbff877f89102f2bcb47915f079dd1b7d13ba66e3

                                                              SHA512

                                                              bc42ff46d829fd32116322133ffc7e0ed6af3cff88522ed3e13e841343504ccad78ccb3d3a39616a6a138c164473e265632dadd13da68e804a525a23cc566e9b

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                              Filesize

                                                              7KB

                                                              MD5

                                                              385c61ebb84899b6c237418d46361ec0

                                                              SHA1

                                                              032b60538924eaa68fdefcb0104a169349214813

                                                              SHA256

                                                              234b10b7f8359feef9540045b0adf98284c405326422de78387e7fe51ef3f55f

                                                              SHA512

                                                              6b430751f645c2bb0ab99d60f602b777a746758023671c50ca1681d70032cf40efa1ee73eb2493dccf4fa367a5b10f5ed3842b513d71dbfe149ea5a55f6db50c

                                                            • C:\Users\Default User\explorer.exe

                                                              Filesize

                                                              2.9MB

                                                              MD5

                                                              bb329817c94e26958235e548ecf4b299

                                                              SHA1

                                                              9f54532fd35427c7f6a3cc736fff38562d9ccdd1

                                                              SHA256

                                                              82cee8bf2fb5dc31e2cd5e0d2c1968b021de724f525c15f549e8cb397d30f7a5

                                                              SHA512

                                                              223df78f5240530a871be607e73b2d4a0f3f0320bb08d31b66229ef1002cae1d4405c5e0ff975ab0342fdb4dcf16c40a14fa0e2a3df4b2fa0fe8aa4253d5ecc3

                                                            • memory/108-334-0x0000000000EE0000-0x00000000011C6000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/692-285-0x0000000001340000-0x0000000001626000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/1280-297-0x0000000001330000-0x0000000001342000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/1356-273-0x0000000001080000-0x0000000001366000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/1912-250-0x0000000000F00000-0x00000000011E6000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/2032-199-0x000000001B600000-0x000000001B8E2000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/2108-322-0x00000000024A0000-0x00000000024B2000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2108-321-0x0000000000180000-0x0000000000466000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/2508-201-0x00000000027A0000-0x00000000027A8000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/2740-239-0x0000000000B80000-0x0000000000E66000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/2836-346-0x00000000013D0000-0x00000000016B6000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/2868-358-0x0000000000B40000-0x0000000000B52000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2916-11-0x000000001A900000-0x000000001A956000-memory.dmp

                                                              Filesize

                                                              344KB

                                                            • memory/2916-9-0x0000000002460000-0x0000000002470000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/2916-20-0x000000001AEB0000-0x000000001AEB8000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/2916-17-0x000000001AE80000-0x000000001AE88000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/2916-21-0x000000001AEC0000-0x000000001AECE000-memory.dmp

                                                              Filesize

                                                              56KB

                                                            • memory/2916-18-0x000000001AE90000-0x000000001AE9A000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/2916-19-0x000000001AEA0000-0x000000001AEAE000-memory.dmp

                                                              Filesize

                                                              56KB

                                                            • memory/2916-16-0x000000001AE70000-0x000000001AE78000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/2916-15-0x000000001A970000-0x000000001A982000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2916-14-0x000000001A960000-0x000000001A96C000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/2916-13-0x000000001A950000-0x000000001A958000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/2916-12-0x0000000002470000-0x000000000247C000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/2916-24-0x000000001AEF0000-0x000000001AEFA000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/2916-10-0x00000000023D0000-0x00000000023DA000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/2916-8-0x0000000000A90000-0x0000000000A98000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/2916-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/2916-1-0x00000000003D0000-0x00000000006B6000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/2916-7-0x00000000003C0000-0x00000000003C8000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/2916-177-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

                                                              Filesize

                                                              9.9MB

                                                            • memory/2916-22-0x000000001AED0000-0x000000001AEDC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/2916-6-0x00000000003A0000-0x00000000003B6000-memory.dmp

                                                              Filesize

                                                              88KB

                                                            • memory/2916-5-0x0000000000390000-0x00000000003A0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/2916-4-0x0000000000380000-0x0000000000388000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/2916-23-0x000000001AEE0000-0x000000001AEE8000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/2916-3-0x0000000000350000-0x000000000036C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/2916-25-0x000000001AF40000-0x000000001AF4C000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/2916-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

                                                              Filesize

                                                              9.9MB

                                                            • memory/2928-370-0x0000000000D60000-0x0000000000D72000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2968-408-0x00000000005F0000-0x0000000000646000-memory.dmp

                                                              Filesize

                                                              344KB

                                                            • memory/3036-309-0x00000000002E0000-0x00000000005C6000-memory.dmp

                                                              Filesize

                                                              2.9MB