Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 09:16

General

  • Target

    d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    d22bc2c281eda0bd630673443da3d2f0

  • SHA1

    31f11ef93b4a2d28a6445090128e37c32a58661c

  • SHA256

    38f4b04c7fe1ce4d8ce9e43eb0df87bdb03c0f3b432daa8670be4750bab542b6

  • SHA512

    76c82f89813b8e2e40a90b2347a971599a5afbf7a0484c99b74a3ddcb3cdeb330b94b9efbb111159603a17f64f8621ecbffa90c1c0c8c4fded469e0575044538

  • SSDEEP

    49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 63 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 51 IoCs
  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 16 IoCs
  • Checks whether UAC is enabled 1 TTPs 34 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 63 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1664
    • C:\Users\Admin\AppData\Local\Temp\d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2276
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2736
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2504
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1628
      • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:444
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a93c7b6-ac4d-4870-8af3-328881bcfafe.vbs"
          4⤵
            PID:2360
            • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
              "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:3064
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58841f22-3d73-4b6e-a4a6-ab525bc45f0e.vbs"
                6⤵
                  PID:2356
                  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                    "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                    7⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:912
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2d11e73-8da2-4a25-ab38-6403449807c5.vbs"
                      8⤵
                        PID:2148
                        • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                          "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                          9⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:2668
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13fe7019-3bc8-466d-8e1f-ebef01ffa290.vbs"
                            10⤵
                              PID:1720
                              • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                11⤵
                                • UAC bypass
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:2160
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9cc5cd7-f67f-4691-bf64-70ac7f6dd3e9.vbs"
                                  12⤵
                                    PID:2096
                                    • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                      "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                      13⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:880
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86bb8f8-f0d8-437e-b511-777f2844f73f.vbs"
                                        14⤵
                                          PID:2272
                                          • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                            "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                            15⤵
                                            • UAC bypass
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:2632
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1700c1c5-da40-4e9f-8cd3-b1f4b9869049.vbs"
                                              16⤵
                                                PID:2796
                                                • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                                  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                                  17⤵
                                                  • UAC bypass
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:1660
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fe1d5f0-59fb-47ea-9185-ae5c6879e41e.vbs"
                                                    18⤵
                                                      PID:2740
                                                      • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                                        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                                        19⤵
                                                        • UAC bypass
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:2920
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94594930-425e-4aae-b1c4-5c3b630cc984.vbs"
                                                          20⤵
                                                            PID:568
                                                            • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                                              "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                                              21⤵
                                                              • UAC bypass
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:1820
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81cfd0a2-1065-453b-8223-59e65b9c17c5.vbs"
                                                                22⤵
                                                                  PID:1540
                                                                  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                                                    "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                                                    23⤵
                                                                    • UAC bypass
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:3000
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f837037d-b20e-4256-9b3b-38f5f14904a7.vbs"
                                                                      24⤵
                                                                        PID:1040
                                                                        • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                                                          "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                                                          25⤵
                                                                          • UAC bypass
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • System policy modification
                                                                          PID:2112
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3d6944f-1674-4ec1-93ec-6a5116ee0af4.vbs"
                                                                            26⤵
                                                                              PID:1608
                                                                              • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                                                                "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                                                                27⤵
                                                                                • UAC bypass
                                                                                • Executes dropped EXE
                                                                                • Checks whether UAC is enabled
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                • System policy modification
                                                                                PID:1296
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e03093a-705c-4408-8c77-b59452ae7856.vbs"
                                                                                  28⤵
                                                                                    PID:1516
                                                                                    • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                                                                      "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                                                                      29⤵
                                                                                      • UAC bypass
                                                                                      • Executes dropped EXE
                                                                                      • Checks whether UAC is enabled
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • System policy modification
                                                                                      PID:2480
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd4e3bf4-d255-4d36-88d7-9c54be2db269.vbs"
                                                                                        30⤵
                                                                                          PID:1216
                                                                                          • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe
                                                                                            "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"
                                                                                            31⤵
                                                                                            • UAC bypass
                                                                                            • Executes dropped EXE
                                                                                            • Checks whether UAC is enabled
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • System policy modification
                                                                                            PID:1728
                                                                                            • C:\Windows\System32\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a49a1fdb-a53d-474b-a1f8-ac5958359b8e.vbs"
                                                                                              32⤵
                                                                                                PID:352
                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dbfb6d8-b81d-470b-a15b-f474171c9da0.vbs"
                                                                                                32⤵
                                                                                                  PID:1512
                                                                                            • C:\Windows\System32\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\449afc26-8060-4c18-ae66-688447279ce7.vbs"
                                                                                              30⤵
                                                                                                PID:1640
                                                                                          • C:\Windows\System32\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d03b0ba6-419c-4d53-b5ec-337479567b95.vbs"
                                                                                            28⤵
                                                                                              PID:1900
                                                                                        • C:\Windows\System32\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bdfc040-1b4a-447d-bc10-5158df39457e.vbs"
                                                                                          26⤵
                                                                                            PID:1896
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\706cef54-b753-4de2-9292-9ea33929f3a4.vbs"
                                                                                        24⤵
                                                                                          PID:2060
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c4a74bf-94fd-4e26-a305-072a79eb70ff.vbs"
                                                                                      22⤵
                                                                                        PID:2096
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\691352a9-10eb-43e6-9d06-51dcfe5c423d.vbs"
                                                                                    20⤵
                                                                                      PID:2108
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ea3412b-15ca-496a-a287-7cbbd8e7d240.vbs"
                                                                                  18⤵
                                                                                    PID:2616
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\369e4250-a7ac-4ad4-891b-e85be65e3460.vbs"
                                                                                16⤵
                                                                                  PID:1844
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81b2cc72-825e-400e-8457-2c216f2b6fba.vbs"
                                                                              14⤵
                                                                                PID:1572
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b338f91e-6624-4cb0-908e-bc573309519a.vbs"
                                                                            12⤵
                                                                              PID:752
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93682006-16f6-47fb-9f95-29c740cb8d86.vbs"
                                                                          10⤵
                                                                            PID:1140
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4ad9304-06b9-4784-b16c-2577d0b70c10.vbs"
                                                                        8⤵
                                                                          PID:3040
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ff1e457-dcf9-4e90-be64-510a2cd45242.vbs"
                                                                      6⤵
                                                                        PID:1648
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41bf44bd-5445-4bc6-988b-862123bbcca8.vbs"
                                                                    4⤵
                                                                      PID:2996
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\audiodg.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2792
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\audiodg.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2764
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\audiodg.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2396
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2492
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1984
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2092
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\smss.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2508
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1732
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1020
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\dwm.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2660
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2588
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2580
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2456
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2940
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2356
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2576
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2528
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:396
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\winlogon.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2396
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2164
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1348
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\explorer.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2532
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\explorer.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1852
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\explorer.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1780
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2672
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1876
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1860
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2800
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2560
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:476
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2844
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:556
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2704
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2648
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1516
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1016
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\Idle.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2268
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1640
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2780
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2992
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1204
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1140
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2148
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1756
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2012
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\csrss.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2840
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1520
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1524
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2056
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2200
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2144
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\Idle.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2916
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\Idle.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2428
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\Idle.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1480
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\taskhost.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1432
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\taskhost.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:636
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\taskhost.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1868
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:236
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:3036
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2328
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1568
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:2424
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • Process spawned unexpected child process
                                                                • Creates scheduled task(s)
                                                                PID:1996

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\audiodg.exe

                                                                Filesize

                                                                2.9MB

                                                                MD5

                                                                d22bc2c281eda0bd630673443da3d2f0

                                                                SHA1

                                                                31f11ef93b4a2d28a6445090128e37c32a58661c

                                                                SHA256

                                                                38f4b04c7fe1ce4d8ce9e43eb0df87bdb03c0f3b432daa8670be4750bab542b6

                                                                SHA512

                                                                76c82f89813b8e2e40a90b2347a971599a5afbf7a0484c99b74a3ddcb3cdeb330b94b9efbb111159603a17f64f8621ecbffa90c1c0c8c4fded469e0575044538

                                                              • C:\Users\Admin\AppData\Local\Temp\13fe7019-3bc8-466d-8e1f-ebef01ffa290.vbs

                                                                Filesize

                                                                753B

                                                                MD5

                                                                f0f692110f440ef70052432a8e26911c

                                                                SHA1

                                                                cdacd17e280855d2ffbe9bb1c72be5d5795fa6d3

                                                                SHA256

                                                                c48c55a5ada909253f528db7b4e4cc132c139e08a30cfa682067b980e79b512e

                                                                SHA512

                                                                e2c0a6be4f6e12fd3256a83651760640c1742631539f374c8807c4b12decb0d9072c002b5ec0d97dcc4f1083cb0491862017dfdec974f477482b3f16ffc56f9f

                                                              • C:\Users\Admin\AppData\Local\Temp\1700c1c5-da40-4e9f-8cd3-b1f4b9869049.vbs

                                                                Filesize

                                                                753B

                                                                MD5

                                                                beee16c7fe794c84d9101cf2710f0498

                                                                SHA1

                                                                dd981408fbe1bf52de0c449c08cf49749194cdb7

                                                                SHA256

                                                                dd875c8d9720772b3ee1d008b364654623cf172471d7b192a2150d180114b4e6

                                                                SHA512

                                                                e233268d962e9076c7a75cb90f667cfcc03bca0d0dd68a6b4a0cdf3f7d7e958039f5a283b03a71a3bd9a2b05738d4da2dbabb7b8a30352f8c4d945d86845aa97

                                                              • C:\Users\Admin\AppData\Local\Temp\2fe1d5f0-59fb-47ea-9185-ae5c6879e41e.vbs

                                                                Filesize

                                                                753B

                                                                MD5

                                                                3e276b75a871045679c3f39be36e671a

                                                                SHA1

                                                                e256fd95f4be9bc91ea757ecc0c9ea004566c0f0

                                                                SHA256

                                                                107e2acae02aa8c7cfec2c7a2a2529838a42564ffbb4e95d1bf9edcc4c33eda1

                                                                SHA512

                                                                c7a49b41c23293682069b2fb761c1a53bcce89f946da4fdff6141fc578fa4e6ce666d265b43e6b2bbdb13d5ee37bd4b631f57a516a2d0097a99db58eda2e0344

                                                              • C:\Users\Admin\AppData\Local\Temp\41bf44bd-5445-4bc6-988b-862123bbcca8.vbs

                                                                Filesize

                                                                529B

                                                                MD5

                                                                c44a822f2e2464eba75415e6228b1f33

                                                                SHA1

                                                                c8dc5f576cbd350cf5018d2d3efee53d18845e11

                                                                SHA256

                                                                2d236093e56cd743e4a738b0daf527a9a291b1c4d7c1825e343abb1bf3a3b0de

                                                                SHA512

                                                                4231f199a4c89a83560bfc07c78deb68933374f6ba8baf0dfaabc164cb397e239244189afa67a7890dded471029c5346ade9110daa8f37d79326b1976ba024d5

                                                              • C:\Users\Admin\AppData\Local\Temp\58841f22-3d73-4b6e-a4a6-ab525bc45f0e.vbs

                                                                Filesize

                                                                753B

                                                                MD5

                                                                ed92b37de420a766fbc39387ef819df4

                                                                SHA1

                                                                d067d36b0cdce278655c779671f186822ff4a080

                                                                SHA256

                                                                a8733a142866400bdf776fc8f9b1b1a3612aad3e4737c4212263acfc7a1d690f

                                                                SHA512

                                                                8131ae6b019ceb07f8a45c5bad2284762e0f66ef96fae8c48486c187f843175ede74679b429607e148c662514d7fd7896a371e986a03218cc2a6569b2cf100ac

                                                              • C:\Users\Admin\AppData\Local\Temp\7a93c7b6-ac4d-4870-8af3-328881bcfafe.vbs

                                                                Filesize

                                                                752B

                                                                MD5

                                                                2178a413a98f735434c55600b7b5a7a9

                                                                SHA1

                                                                4791127168ac1c5f1f33f1139245236fdba95816

                                                                SHA256

                                                                b02597a8ef51fea020cb503762688d48e503223599242191ffad3693093c9613

                                                                SHA512

                                                                dfaebd9570636ff2a37b962658e7a18cb7417093aafdb5d1c8b1161f2f5d64f3f6a9891406c658db89a630ccf7aeeca544278773b062e97d2787c2255b067247

                                                              • C:\Users\Admin\AppData\Local\Temp\94594930-425e-4aae-b1c4-5c3b630cc984.vbs

                                                                Filesize

                                                                753B

                                                                MD5

                                                                834f76a6b12533a1a82b63d3ff63c5ef

                                                                SHA1

                                                                31a174bdcc0181d765b9c3701cc5fee6a0f1db5d

                                                                SHA256

                                                                a6fc4df3bd3dfbab320f07c7e53c34c5bbe793d561a4ed50044200427e15c141

                                                                SHA512

                                                                c19dbfea875c2ca8b6168529a65daf5a5d748845f853fbc201af9e86507ff35ab9a221ade33dfab4b07e6ca32e5ec310c6468b3889edfc5fe845ae8798a8718f

                                                              • C:\Users\Admin\AppData\Local\Temp\a9cc5cd7-f67f-4691-bf64-70ac7f6dd3e9.vbs

                                                                Filesize

                                                                753B

                                                                MD5

                                                                14f699c17a6654b9d2f5a61bb64649a6

                                                                SHA1

                                                                dacac4226c8394f9bbcb5e496375e5ed2a4a01eb

                                                                SHA256

                                                                adb390a019cad776774d1121df12143e9b21ed63295b3b7425f61284ebf1c068

                                                                SHA512

                                                                99f5fc3d999516891dd6fd1f948638ba22a407db06e1cbee42e675153863b4455af5fe0c83cddcc342ed55305ce1941c0bcd0243aee828c02fcadd034d724fb5

                                                              • C:\Users\Admin\AppData\Local\Temp\c2d11e73-8da2-4a25-ab38-6403449807c5.vbs

                                                                Filesize

                                                                752B

                                                                MD5

                                                                70eab4cbdd523457cfeeedd0622e4233

                                                                SHA1

                                                                020e6d20c2ec18900423c0459cff60054c8ac84b

                                                                SHA256

                                                                d263433405144987f585601206ba70e6c96fd5844186faa0127edd107583f495

                                                                SHA512

                                                                029cf8ca39fa130cee360e84ba38aabbe3780c9f46225d2aadd997bf405d1c1c70ca0f00759947f41d44e6eb8f4fc2a1977146f4bf29f006b77a6df0dd8901b6

                                                              • C:\Users\Admin\AppData\Local\Temp\d86bb8f8-f0d8-437e-b511-777f2844f73f.vbs

                                                                Filesize

                                                                752B

                                                                MD5

                                                                92f5a975376c058a97d1487907c24105

                                                                SHA1

                                                                2f4d926664bca993447d310b0fd4ff7f54a501aa

                                                                SHA256

                                                                2e6d8b171b6aa21d93b175d00b1080cd400556a464ab09b41afff065c45a96ed

                                                                SHA512

                                                                a4c478212987f1f4c330816eefbf88edce78b3251c56f19f8863e3b2ca21135f9c1d755cbeccfddac409b5d56ed362ab565c1eb725bb318050bdfe70f4117476

                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                Filesize

                                                                7KB

                                                                MD5

                                                                11bc0d56feef9b0674f8bdf4879531b9

                                                                SHA1

                                                                94feac00eecef04ab4e7a2b80b308d68afbc1bf3

                                                                SHA256

                                                                a18922e9fe2d46203e0f7b4c37003c3d60f975487ba167d2c80e7e8e9e9b3dbe

                                                                SHA512

                                                                35a27c9f11055431f18587e2a3d986c00ae9bc4e88c61c621ba424a32385a718b9476a9c0e37f5255b4d1bc9905490fcb6ff4ddf3a29ee11b3b096f80cf26a44

                                                              • memory/444-260-0x0000000000B30000-0x0000000000B86000-memory.dmp

                                                                Filesize

                                                                344KB

                                                              • memory/444-229-0x0000000001020000-0x0000000001306000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/880-318-0x0000000001360000-0x0000000001646000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/880-319-0x000000001AFA0000-0x000000001AFF6000-memory.dmp

                                                                Filesize

                                                                344KB

                                                              • memory/912-282-0x0000000001090000-0x0000000001376000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/912-283-0x0000000000CA0000-0x0000000000CF6000-memory.dmp

                                                                Filesize

                                                                344KB

                                                              • memory/1216-85-0x000000001B510000-0x000000001B7F2000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/1552-86-0x0000000002750000-0x0000000002758000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/1728-410-0x0000000000B10000-0x0000000000B22000-memory.dmp

                                                                Filesize

                                                                72KB

                                                              • memory/1728-409-0x0000000000B20000-0x0000000000E06000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/1820-368-0x00000000011E0000-0x00000000014C6000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/2112-385-0x0000000000E00000-0x00000000010E6000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/2160-306-0x0000000000060000-0x0000000000346000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/2480-401-0x0000000002420000-0x0000000002476000-memory.dmp

                                                                Filesize

                                                                344KB

                                                              • memory/2480-400-0x0000000000110000-0x00000000003F6000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/2632-331-0x0000000000D40000-0x0000000000D96000-memory.dmp

                                                                Filesize

                                                                344KB

                                                              • memory/2736-198-0x000000001B5A0000-0x000000001B882000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/2736-202-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/2920-355-0x00000000023D0000-0x0000000002426000-memory.dmp

                                                                Filesize

                                                                344KB

                                                              • memory/2920-354-0x00000000002C0000-0x00000000005A6000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/2920-356-0x0000000000810000-0x0000000000822000-memory.dmp

                                                                Filesize

                                                                72KB

                                                              • memory/3000-377-0x0000000000120000-0x0000000000406000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/3028-17-0x0000000002300000-0x0000000002308000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3028-16-0x0000000002270000-0x0000000002278000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3028-13-0x0000000000830000-0x0000000000838000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3028-12-0x0000000000820000-0x000000000082C000-memory.dmp

                                                                Filesize

                                                                48KB

                                                              • memory/3028-11-0x00000000007D0000-0x0000000000826000-memory.dmp

                                                                Filesize

                                                                344KB

                                                              • memory/3028-10-0x0000000000730000-0x000000000073A000-memory.dmp

                                                                Filesize

                                                                40KB

                                                              • memory/3028-9-0x0000000000740000-0x0000000000750000-memory.dmp

                                                                Filesize

                                                                64KB

                                                              • memory/3028-8-0x0000000000720000-0x0000000000728000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3028-15-0x00000000009D0000-0x00000000009E2000-memory.dmp

                                                                Filesize

                                                                72KB

                                                              • memory/3028-7-0x0000000000290000-0x0000000000298000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3028-6-0x0000000000700000-0x0000000000716000-memory.dmp

                                                                Filesize

                                                                88KB

                                                              • memory/3028-5-0x0000000000280000-0x0000000000290000-memory.dmp

                                                                Filesize

                                                                64KB

                                                              • memory/3028-4-0x0000000000270000-0x0000000000278000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3028-14-0x00000000009C0000-0x00000000009CC000-memory.dmp

                                                                Filesize

                                                                48KB

                                                              • memory/3028-3-0x0000000000250000-0x000000000026C000-memory.dmp

                                                                Filesize

                                                                112KB

                                                              • memory/3028-2-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

                                                                Filesize

                                                                9.9MB

                                                              • memory/3028-20-0x0000000002330000-0x0000000002338000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3028-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/3028-118-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

                                                                Filesize

                                                                9.9MB

                                                              • memory/3028-1-0x00000000002A0000-0x0000000000586000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/3028-18-0x0000000002310000-0x000000000231A000-memory.dmp

                                                                Filesize

                                                                40KB

                                                              • memory/3028-19-0x0000000002320000-0x000000000232E000-memory.dmp

                                                                Filesize

                                                                56KB

                                                              • memory/3028-25-0x0000000002510000-0x000000000251C000-memory.dmp

                                                                Filesize

                                                                48KB

                                                              • memory/3028-24-0x0000000002500000-0x000000000250A000-memory.dmp

                                                                Filesize

                                                                40KB

                                                              • memory/3028-23-0x00000000024F0000-0x00000000024F8000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/3028-22-0x00000000024E0000-0x00000000024EC000-memory.dmp

                                                                Filesize

                                                                48KB

                                                              • memory/3028-21-0x00000000024D0000-0x00000000024DE000-memory.dmp

                                                                Filesize

                                                                56KB