Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 05:49

General

  • Target

    a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    a8afc525e8ae9a9c34f01e2efb7fdab0

  • SHA1

    6e519caf5546a9c89e62ec00fc11d78ef2fbfb6d

  • SHA256

    4123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836

  • SHA512

    d0747c7bfba0dff9e8d3d98d4912653006b91ac5bb63493bef05116ba2282d1daeaad2c24958ddb96623172a12bdffa77be014e08537fedde295e90bffd37b4d

  • SSDEEP

    49152:/4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:wDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 45 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 30 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U3xVM6PQLh.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3044
        • C:\Program Files\dotnet\swidtag\System.exe
          "C:\Program Files\dotnet\swidtag\System.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5296
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81f75e1a-5ede-4883-a03a-b7e16ecacfdd.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5500
            • C:\Program Files\dotnet\swidtag\System.exe
              "C:\Program Files\dotnet\swidtag\System.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:5712
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac04cd05-46ac-40b8-a34e-18cdf1e6605a.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:5880
                • C:\Program Files\dotnet\swidtag\System.exe
                  "C:\Program Files\dotnet\swidtag\System.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:6076
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6368dd9-c571-488c-8bb1-422af6182adb.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3540
                    • C:\Program Files\dotnet\swidtag\System.exe
                      "C:\Program Files\dotnet\swidtag\System.exe"
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:2796
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8faeba6-9ae1-41ed-a528-84dda39cccc8.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4436
                        • C:\Program Files\dotnet\swidtag\System.exe
                          "C:\Program Files\dotnet\swidtag\System.exe"
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:2912
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d20f3306-4e35-46f6-b7e9-c82194a1a269.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4644
                            • C:\Program Files\dotnet\swidtag\System.exe
                              "C:\Program Files\dotnet\swidtag\System.exe"
                              13⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:936
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe2e06b6-6c37-42de-8658-130013668675.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4732
                                • C:\Program Files\dotnet\swidtag\System.exe
                                  "C:\Program Files\dotnet\swidtag\System.exe"
                                  15⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:5312
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\719e169f-903c-4569-a74a-fa94cc4178a2.vbs"
                                    16⤵
                                      PID:5608
                                      • C:\Program Files\dotnet\swidtag\System.exe
                                        "C:\Program Files\dotnet\swidtag\System.exe"
                                        17⤵
                                        • UAC bypass
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:5564
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a01b7f7f-817b-43a8-82ba-ade5a662e2b0.vbs"
                                          18⤵
                                            PID:5888
                                            • C:\Program Files\dotnet\swidtag\System.exe
                                              "C:\Program Files\dotnet\swidtag\System.exe"
                                              19⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:1744
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7960f7f-439a-44aa-a2f7-27b560e4b9ac.vbs"
                                                20⤵
                                                  PID:4352
                                                  • C:\Program Files\dotnet\swidtag\System.exe
                                                    "C:\Program Files\dotnet\swidtag\System.exe"
                                                    21⤵
                                                    • UAC bypass
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:1948
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77f2a231-b325-4c4b-afba-1b61ebb5c891.vbs"
                                                      22⤵
                                                        PID:3512
                                                        • C:\Program Files\dotnet\swidtag\System.exe
                                                          "C:\Program Files\dotnet\swidtag\System.exe"
                                                          23⤵
                                                          • UAC bypass
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:2056
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db4ef1d8-91d7-4060-93d4-c943c3ee3da7.vbs"
                                                            24⤵
                                                              PID:5180
                                                              • C:\Program Files\dotnet\swidtag\System.exe
                                                                "C:\Program Files\dotnet\swidtag\System.exe"
                                                                25⤵
                                                                • UAC bypass
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • System policy modification
                                                                PID:3876
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a67a3a51-6220-48b6-8ac9-fc67a4cd4b40.vbs"
                                                                  26⤵
                                                                    PID:5468
                                                                    • C:\Program Files\dotnet\swidtag\System.exe
                                                                      "C:\Program Files\dotnet\swidtag\System.exe"
                                                                      27⤵
                                                                      • UAC bypass
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Checks whether UAC is enabled
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • System policy modification
                                                                      PID:5572
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ee3762b-8af4-4bbe-afbb-769b535487eb.vbs"
                                                                        28⤵
                                                                          PID:5980
                                                                          • C:\Program Files\dotnet\swidtag\System.exe
                                                                            "C:\Program Files\dotnet\swidtag\System.exe"
                                                                            29⤵
                                                                            • UAC bypass
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Checks whether UAC is enabled
                                                                            • Modifies registry class
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            • System policy modification
                                                                            PID:3780
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f7afeb9-4690-44b9-84fb-30d576701e7a.vbs"
                                                                              30⤵
                                                                                PID:2552
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75a50156-2663-4b4b-bf25-7f45c26ab261.vbs"
                                                                                30⤵
                                                                                  PID:1980
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e42af9e-4a9e-4b3f-87f9-1ed082f1c2be.vbs"
                                                                              28⤵
                                                                                PID:1048
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83bb50e7-6ec4-4593-9944-e7a711ebc540.vbs"
                                                                            26⤵
                                                                              PID:4596
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9bcd02-e3f7-48bb-a851-d15130deb456.vbs"
                                                                          24⤵
                                                                            PID:4408
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3651f02-5395-474d-b367-ee32436e5be6.vbs"
                                                                        22⤵
                                                                          PID:4136
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bf8ac19-b53f-413f-94c3-0b06d396ed10.vbs"
                                                                      20⤵
                                                                        PID:5104
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea8fd2d6-68c8-4dfa-85a9-3d8c48513509.vbs"
                                                                    18⤵
                                                                      PID:6004
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2f62c84-6bee-43aa-afbd-b7458af06888.vbs"
                                                                  16⤵
                                                                    PID:5480
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b691a4-14fe-4da3-b397-1f44c822e938.vbs"
                                                                14⤵
                                                                  PID:1408
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697d4c62-43ea-4b32-b7c3-583a20277f8f.vbs"
                                                              12⤵
                                                                PID:4980
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9882725b-11cd-40c9-9f7b-7463a6ad7fac.vbs"
                                                            10⤵
                                                              PID:3736
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d568da6-b483-406a-b3f8-43a5f035db11.vbs"
                                                          8⤵
                                                            PID:4864
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e17fdfc-9d3a-4b13-976d-4d88cfdfdc63.vbs"
                                                        6⤵
                                                          PID:5928
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e445b310-c7c2-414c-9d15-e45d689b04be.vbs"
                                                      4⤵
                                                        PID:5544
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1404
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3156
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1296
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalyticsa" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3580
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:5068
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalyticsa" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1152
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:900
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3976
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4444
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4924
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:560
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1848
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\backgroundTaskHost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3968
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1460
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2800
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4136
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4832
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:452
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1684
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4964
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1016
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\sysmon.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4668
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Links\sysmon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1816
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\sysmon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4492
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1524
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3036
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2568
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\spoolsv.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1804
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\DiagTrack\spoolsv.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1864
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\spoolsv.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2204
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2768
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4656
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3932
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2552
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1948
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3504
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\taskhostw.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4544
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Documents\taskhostw.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1252
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\taskhostw.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2352
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\smss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4612
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4644
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3988
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2340
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2720
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2632
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\sysmon.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1508
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\sysmon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1728
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\sysmon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4936

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Program Files\dotnet\swidtag\System.exe

                                                  Filesize

                                                  2.9MB

                                                  MD5

                                                  3ed22f1f48857191340f0c760ceed1cc

                                                  SHA1

                                                  ef8253c7eab15ad662686b8ce5634b7973a7bc75

                                                  SHA256

                                                  c2ab608be2caf318294a24c45d434a5acd18a9fcc01d8602c171d2b0c54c8ab7

                                                  SHA512

                                                  34c63b51d0b5e9b6f5b490b4f303c1da3ee7c860a1d8ea16e67053530b0a98be1646300e6de78c65fd10901a2bf314e07b8d179fb67642d026c61144d0311ce4

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  4a667f150a4d1d02f53a9f24d89d53d1

                                                  SHA1

                                                  306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                  SHA256

                                                  414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                  SHA512

                                                  4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                  SHA1

                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                  SHA256

                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                  SHA512

                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  944B

                                                  MD5

                                                  3235c0b45a0ee14bd4e5213339b30705

                                                  SHA1

                                                  49ebee3177d8bf7d2b1ce8df3f28f3cc576364aa

                                                  SHA256

                                                  e407d81c185f5505e1f76e43cfe12076caf7fc7ffb35fd8df087c12c35125b9f

                                                  SHA512

                                                  2e3e467a766e7f05c81f661472bf8ce944f915cf829f70b4f988b65fc55165580fe37bb8683851e28b939313707c995849fefb1f402d57998412de96cfe0cd54

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  944B

                                                  MD5

                                                  2e907f77659a6601fcc408274894da2e

                                                  SHA1

                                                  9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                  SHA256

                                                  385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                  SHA512

                                                  34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  944B

                                                  MD5

                                                  e243a38635ff9a06c87c2a61a2200656

                                                  SHA1

                                                  ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                                  SHA256

                                                  af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                                  SHA512

                                                  4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  944B

                                                  MD5

                                                  bd5940f08d0be56e65e5f2aaf47c538e

                                                  SHA1

                                                  d7e31b87866e5e383ab5499da64aba50f03e8443

                                                  SHA256

                                                  2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                  SHA512

                                                  c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                • C:\Users\Admin\AppData\Local\Temp\719e169f-903c-4569-a74a-fa94cc4178a2.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  bf239895c8c73d7365297742ffb74cb4

                                                  SHA1

                                                  7c970f4aa11401716a4a6cf5b219229256c3426d

                                                  SHA256

                                                  fa382062c752222cf5c81f5ee9be606c4110f617727e9f7b9e408db30d4e6954

                                                  SHA512

                                                  93fde9013772169e3855d5506bc89def4901b77e786fe138c87f656c195497809d92b4e991b40636efd1b234bd076868edd5a6b532d2ab0f9e6854a878ff6cfa

                                                • C:\Users\Admin\AppData\Local\Temp\77f2a231-b325-4c4b-afba-1b61ebb5c891.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  1bc6524f234f3066c34eaed964217786

                                                  SHA1

                                                  f8e7a00227a36dd151f557cda9b58297a4e9f4c1

                                                  SHA256

                                                  d1863e8545f91c6524184fb642e14a266963f0f1345fe4a9f19b04ba1a0603c9

                                                  SHA512

                                                  03ebc955e54cfb6d2329e74781bb04eaa8f5167bef8a3cf4b60ad73e5fe26f3374cf6e2bf95dca94dbcafe3bddb65a42822d61883555ea53b6bd01c8f417e81c

                                                • C:\Users\Admin\AppData\Local\Temp\7ee3762b-8af4-4bbe-afbb-769b535487eb.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  3feac04591e6a6557eb7eb98ecd4402d

                                                  SHA1

                                                  17b82499a5cd59b3f375a25e3ee5a82bcb3fc758

                                                  SHA256

                                                  3ab02661d08307532cf73b30faa6b2a4a5dd40c560b7421b9e411fbc2fe2276e

                                                  SHA512

                                                  4dba88a5bcc9fdcdc14f2255a0389257dedc4a428080bb1e9ecf3934f40f92e74f5393ce3050476f73feb5cf7d53fc6c54e3fd11ef82e39f74c755026f9819d8

                                                • C:\Users\Admin\AppData\Local\Temp\81f75e1a-5ede-4883-a03a-b7e16ecacfdd.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  959eaf14d146841f9b813bc3e0bfac45

                                                  SHA1

                                                  e41b1208a4ffacfe2acee7dd877d6fc96898f01c

                                                  SHA256

                                                  e4458cf4c8acf988ff8d2f07ffe8da3d37ee51ea13cb29524f79b138daa06b46

                                                  SHA512

                                                  0f0aa0eb00de2bf3dafd5e943dcce0eb85a82b1df37576b0ea9dc253c45f428b2cfde270796920f0acd656080803539f3b81171d556f107420e263a38d93422b

                                                • C:\Users\Admin\AppData\Local\Temp\U3xVM6PQLh.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  72014a208bb9ec64d95becb5d17987ce

                                                  SHA1

                                                  86a499b20e4a29c1bd66037a4694d58fb9d898e4

                                                  SHA256

                                                  b25638cd8a9402cd01cedd5173d631f031be3cc475b83190a0416da5369cfb6b

                                                  SHA512

                                                  90aee720455b9442a5326724292adf5d5cb73ff5042f5243b5cdc387fc0d893704e76b9d8c94178311e080691e1d5f556a58a69a585cac3f5305e2b9a7a32810

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0bckveki.anc.ps1

                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                • C:\Users\Admin\AppData\Local\Temp\a01b7f7f-817b-43a8-82ba-ade5a662e2b0.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  a96c81ca98475098243479df76191d38

                                                  SHA1

                                                  0d55f4b45f08b13119fc8f9b017ddeb6361ff074

                                                  SHA256

                                                  7212089a3ea5ac7891d6622cc826711f06adb7b67fa9f92f72cb2d241433edca

                                                  SHA512

                                                  8c65b9ab90bb5083522aef89b467915c9bbc0a2e3f3d6ddbfc2fcf14d53db963cb520fe208914d28d1f8300bc848ace93854cd6c849b1d414f5fe043f94bdea5

                                                • C:\Users\Admin\AppData\Local\Temp\a67a3a51-6220-48b6-8ac9-fc67a4cd4b40.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  db19227aac8ed34a2746e4062b4e4ee4

                                                  SHA1

                                                  6864e81308c2be1d095e0d8453439782463c4035

                                                  SHA256

                                                  2fde7b070cde433da934d8fc290d48738f5a8462d2c21ef25cd0b65ee583d40e

                                                  SHA512

                                                  bdf79033a113ceae20e41c6b868415c9cb37d9aa292a66994168972d7695f30763c7439b874f0b5d255ce99522f3063fe246e5f22ac4ea40d50e420f57ed1700

                                                • C:\Users\Admin\AppData\Local\Temp\ac04cd05-46ac-40b8-a34e-18cdf1e6605a.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  d34f801b2a9fa3d5733c1d4aec3e3c30

                                                  SHA1

                                                  6c829dee2eb3f1eb220cad1e4d2aa9a406b92752

                                                  SHA256

                                                  8176851426fc9cf2a9eb3c91cab6b05d8b66e08c9ed4fc978bf03d4b76e031c0

                                                  SHA512

                                                  edc2427fbf1765ccdeec051c3a249c699ed7a100ef8176f819f1bb7e0e0160c7a4123bd4dcaa10ff807956d36f5ac6d414b238a2379a4b219386edc2412f4bb0

                                                • C:\Users\Admin\AppData\Local\Temp\c8faeba6-9ae1-41ed-a528-84dda39cccc8.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  f69936edfbf3f6bf2908cd48ede83b78

                                                  SHA1

                                                  14dee1d2007b0853092de9f5d2e965856832a421

                                                  SHA256

                                                  14b2b0e382605cfdff5ae1add199927cf50896d6eb005d4511f13487c1bef527

                                                  SHA512

                                                  e34e11d00f4b6c944e4e3870594980ed899a3c39779edb4ba8f917f91b9d66443f41c3a32d6c8aea0af3b797631cb35f18c0c0865f30051937e411521ae634d6

                                                • C:\Users\Admin\AppData\Local\Temp\d20f3306-4e35-46f6-b7e9-c82194a1a269.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  4ec82340f322861c6dbc0d7b364f96c0

                                                  SHA1

                                                  acd8bd9323a71531c2164d9ecf519f549c7637d7

                                                  SHA256

                                                  e71ac10770bc65e9f5b2022a8fd8e2bb7a847e7cb6330a516adff733cd3f11bb

                                                  SHA512

                                                  c668680fc8931c753639a3579cae6a299136fa57bb2b06364fdf10435b7bcc17283137ce8cf411d46b75093e4222dce46fb7d6783d202800fd89f3af9418ffdb

                                                • C:\Users\Admin\AppData\Local\Temp\d6368dd9-c571-488c-8bb1-422af6182adb.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  14409cdbb57eb036e434e0367ccb5e63

                                                  SHA1

                                                  4f6dba244df002e172f362e3d761308b06d07e18

                                                  SHA256

                                                  6670599d757e45b001c29430d2289b0cc71fead30177f274e8853371e0a2ac38

                                                  SHA512

                                                  cae6a3b02dd4019fcaaea8178139ab0b3905fae864879962e6d8509788b36afe545012f88785bf0dc86be6ff01bedd3392b66ff8e57f5eb5de617351dcb3439b

                                                • C:\Users\Admin\AppData\Local\Temp\db4ef1d8-91d7-4060-93d4-c943c3ee3da7.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  3a2ed28dfc17fb1ac1a54f3a87b0e69a

                                                  SHA1

                                                  b7f775662fd8773c9ac87d5839114fbcb9b82092

                                                  SHA256

                                                  92b87f9c77e01955f0762cf0dc3d5817c38bc1e73f28b4fe74f0f7fbe9c35b42

                                                  SHA512

                                                  82ef09833ca4aa6100049e39e54177224c0baeae462a45d3eef745109383baec773176bc496b0e31373dff00e3330f14ab4270e487f96212c5eaebd384bab915

                                                • C:\Users\Admin\AppData\Local\Temp\e445b310-c7c2-414c-9d15-e45d689b04be.vbs

                                                  Filesize

                                                  494B

                                                  MD5

                                                  834c014c4755534762bde05d0ad5499a

                                                  SHA1

                                                  29eb404a4c2811667de93fbdc603ba26d9674db9

                                                  SHA256

                                                  b71765f62aece19d35777b6becf95b9e7dd7cfbdf06ee3520e465e4ae6d60ff7

                                                  SHA512

                                                  c62a7fd854e9e7bd45699aacdbe043792e9ae163361fafd93ac00aa097c5e3a8b4eb8515b41d03f271193ff3e3dfb636932883662ed8efa237d525ea9ba2de10

                                                • C:\Users\Admin\AppData\Local\Temp\f7960f7f-439a-44aa-a2f7-27b560e4b9ac.vbs

                                                  Filesize

                                                  718B

                                                  MD5

                                                  51a44cddc79288e802d506e2ab6ddd79

                                                  SHA1

                                                  a17324ea606c5970e6a604a51cca1ab51f8360ad

                                                  SHA256

                                                  0fc93dd409a54ff28af45cdc62c83a83d044277acce7cafe031d7ce99372ab87

                                                  SHA512

                                                  7d5970500c8573888d0b01a58ae077ae8e5ed911ad15777ca50a9c58bf619b17a353658d4d77f88d6b882e1a56b48cd343c1a10fe6091b359711fdb651c91e78

                                                • C:\Users\Admin\AppData\Local\Temp\fe2e06b6-6c37-42de-8658-130013668675.vbs

                                                  Filesize

                                                  717B

                                                  MD5

                                                  87b10fbd2a282bedfe207dc93260db7c

                                                  SHA1

                                                  049df64cf2c17efec21dfd3f39d8fa519981e2ac

                                                  SHA256

                                                  068eca96d96d8c777e934344100361861e36d129ec1c7e47c1093e6b05715da5

                                                  SHA512

                                                  4357d672b1b83c6c6195962a90b83ef436e532419fdc6c95ad1bc08cda5454e08ce278a99cc2186de2e59c504c6aabeb22566b140893ee073562ca27a8774a52

                                                • C:\Users\Default\Links\RCX66C1.tmp

                                                  Filesize

                                                  2.9MB

                                                  MD5

                                                  4744187154f1bf883aeda07c68503d56

                                                  SHA1

                                                  a9c48238455eddaf8df79ae13c03493d9b03ec00

                                                  SHA256

                                                  c3c37738590e567bbffda3930e540ac020e85f13357df65716d5c3cbfd21e371

                                                  SHA512

                                                  d6f63c83285c72cb3f6c4b8dbfe5a04e9d2ceedc0bd051b830f3180fa1592fade83c18f9f29524fbd2c93eec86d84ee9f1fff11624e0503696d321a5a06158c2

                                                • C:\Users\Public\Videos\backgroundTaskHost.exe

                                                  Filesize

                                                  2.9MB

                                                  MD5

                                                  a8afc525e8ae9a9c34f01e2efb7fdab0

                                                  SHA1

                                                  6e519caf5546a9c89e62ec00fc11d78ef2fbfb6d

                                                  SHA256

                                                  4123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836

                                                  SHA512

                                                  d0747c7bfba0dff9e8d3d98d4912653006b91ac5bb63493bef05116ba2282d1daeaad2c24958ddb96623172a12bdffa77be014e08537fedde295e90bffd37b4d

                                                • C:\Windows\DiagTrack\spoolsv.exe

                                                  Filesize

                                                  2.9MB

                                                  MD5

                                                  43374f10cb920500e15ff29ce26531bd

                                                  SHA1

                                                  928af16db8da595319f5f182c48be4e568d2d356

                                                  SHA256

                                                  e142849ab90316f280db6dbba3ede5f30571aa752939b44b5d41b3926fffe33a

                                                  SHA512

                                                  75bc3ff6975e530a5df66d991a8684107af246d00345acd14099fdaf97923c3e3567b7ff16787ecabf278f3a46385f175bc5b7695a26908ab88137120e2fd8c9

                                                • memory/1420-16-0x000000001B250000-0x000000001B262000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1420-17-0x000000001BE60000-0x000000001C388000-memory.dmp

                                                  Filesize

                                                  5.2MB

                                                • memory/1420-1-0x0000000000290000-0x0000000000576000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/1420-0-0x00007FFB7BAB3000-0x00007FFB7BAB5000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/1420-19-0x000000001B940000-0x000000001B948000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1420-25-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1420-178-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/1420-20-0x000000001B950000-0x000000001B95A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/1420-26-0x000000001B9B0000-0x000000001B9BA000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/1420-24-0x000000001B990000-0x000000001B99C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1420-21-0x000000001B960000-0x000000001B96E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/1420-22-0x000000001B970000-0x000000001B978000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1420-23-0x000000001B980000-0x000000001B98E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/1420-18-0x000000001B930000-0x000000001B938000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1420-10-0x000000001B1F0000-0x000000001B200000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/1420-27-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1420-2-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/1420-15-0x000000001B240000-0x000000001B24C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1420-14-0x000000001B230000-0x000000001B238000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1420-13-0x000000001B210000-0x000000001B21C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1420-12-0x000000001B8C0000-0x000000001B916000-memory.dmp

                                                  Filesize

                                                  344KB

                                                • memory/1420-11-0x000000001B200000-0x000000001B20A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/1420-4-0x000000001B870000-0x000000001B8C0000-memory.dmp

                                                  Filesize

                                                  320KB

                                                • memory/1420-3-0x0000000000F10000-0x0000000000F2C000-memory.dmp

                                                  Filesize

                                                  112KB

                                                • memory/1420-5-0x0000000000C40000-0x0000000000C48000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1420-7-0x0000000000F30000-0x0000000000F46000-memory.dmp

                                                  Filesize

                                                  88KB

                                                • memory/1420-8-0x000000001B1D0000-0x000000001B1D8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1420-9-0x000000001B1E0000-0x000000001B1E8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1420-6-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/2056-420-0x000000001B990000-0x000000001B9A2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2568-179-0x0000025972630000-0x0000025972652000-memory.dmp

                                                  Filesize

                                                  136KB

                                                • memory/2796-340-0x000000001BDE0000-0x000000001BE36000-memory.dmp

                                                  Filesize

                                                  344KB

                                                • memory/3780-453-0x000000001B8B0000-0x000000001B8C2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/5296-305-0x000000001B4B0000-0x000000001B4C2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/5296-304-0x0000000000450000-0x0000000000736000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/5312-374-0x000000001B310000-0x000000001B322000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/5564-386-0x000000001BCF0000-0x000000001BD02000-memory.dmp

                                                  Filesize

                                                  72KB