Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 10:15

General

  • Target

    da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    da302f8b90f36acd84743c7639d4e0d0

  • SHA1

    f8fdb617872a6f31fc21b7d7826efba0651077a4

  • SHA256

    a22fcf8eea502fd77a86507ef856f97512aeed2006a0d79f122850f5d14dcf9b

  • SHA512

    cb2392bfd6277ba436ccf0421baccbae4f2b6ef2ecbcd2c72c95de2e3a820a212cd9c7d3662795290341d9c285e75a8a2111fda8bb1ec296a9772689a9af9646

  • SSDEEP

    98304:msmfE8eD0M782w1JSdvi199xP9/ecsFjPSz:mQNBY2S99xl

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
  • DCRat payload 18 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\975DOJvBwA.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2660
        • C:\MSOCache\All Users\dllhost.exe
          "C:\MSOCache\All Users\dllhost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1260
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e2015e1-9de3-40d9-9498-5d86330c1ffe.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2904
            • C:\MSOCache\All Users\dllhost.exe
              "C:\MSOCache\All Users\dllhost.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:992
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44147dcb-cc2f-494a-bff0-d297e8ab25e0.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1872
                • C:\MSOCache\All Users\dllhost.exe
                  "C:\MSOCache\All Users\dllhost.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1812
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d29ded-b1be-4ae0-bd66-9934a6581e61.vbs"
                    8⤵
                      PID:2160
                      • C:\MSOCache\All Users\dllhost.exe
                        "C:\MSOCache\All Users\dllhost.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2576
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff2f51e7-6311-4120-8bb4-8f30828e7a97.vbs"
                          10⤵
                            PID:1704
                            • C:\MSOCache\All Users\dllhost.exe
                              "C:\MSOCache\All Users\dllhost.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1280
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c327601-3250-4502-8e78-7786749bbcb7.vbs"
                                12⤵
                                  PID:760
                                  • C:\MSOCache\All Users\dllhost.exe
                                    "C:\MSOCache\All Users\dllhost.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2480
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ce8f7a-d2ab-43af-a77d-8256a62ab62a.vbs"
                                      14⤵
                                        PID:1940
                                        • C:\MSOCache\All Users\dllhost.exe
                                          "C:\MSOCache\All Users\dllhost.exe"
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:928
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\731d4967-d31e-4e8c-b242-92bb7dbca494.vbs"
                                            16⤵
                                              PID:1192
                                              • C:\MSOCache\All Users\dllhost.exe
                                                "C:\MSOCache\All Users\dllhost.exe"
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:1676
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7104dc35-1082-4716-b98f-7e4dff457c03.vbs"
                                                  18⤵
                                                    PID:2460
                                                    • C:\MSOCache\All Users\dllhost.exe
                                                      "C:\MSOCache\All Users\dllhost.exe"
                                                      19⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:2764
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77b8499b-8f07-4007-bea7-7851fdfa0d67.vbs"
                                                        20⤵
                                                          PID:2240
                                                          • C:\MSOCache\All Users\dllhost.exe
                                                            "C:\MSOCache\All Users\dllhost.exe"
                                                            21⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:2936
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b657a66-38ba-4374-a469-85bc2c251b46.vbs"
                                                              22⤵
                                                                PID:1556
                                                                • C:\MSOCache\All Users\dllhost.exe
                                                                  "C:\MSOCache\All Users\dllhost.exe"
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:2760
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba88df0-dab3-4108-aa84-9b58efd0ae1b.vbs"
                                                                    24⤵
                                                                      PID:1768
                                                                      • C:\MSOCache\All Users\dllhost.exe
                                                                        "C:\MSOCache\All Users\dllhost.exe"
                                                                        25⤵
                                                                        • UAC bypass
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:2268
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5239759f-5e77-4774-9bf0-9fe579501fcd.vbs"
                                                                          26⤵
                                                                            PID:1676
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53446691-205b-4738-8a61-40ebb282f6b4.vbs"
                                                                            26⤵
                                                                              PID:2564
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80184ac8-f4b9-4973-abf2-e7ff331e66e7.vbs"
                                                                          24⤵
                                                                            PID:2736
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a457c264-2664-4c57-a35e-49a08c13bb81.vbs"
                                                                        22⤵
                                                                          PID:1344
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c648ebf5-09dc-4422-81c0-4755c483dc88.vbs"
                                                                      20⤵
                                                                        PID:1656
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a5c7089-e6e0-4386-a2fc-61c1135d123c.vbs"
                                                                    18⤵
                                                                      PID:1268
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78583bdd-3533-4700-adbd-674fdea49726.vbs"
                                                                  16⤵
                                                                    PID:340
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60a0e82b-7917-479f-9d33-1bbebd8d23ae.vbs"
                                                                14⤵
                                                                  PID:2904
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0beb8ac1-dd4c-4efe-9683-8cff200e0ee5.vbs"
                                                              12⤵
                                                                PID:2352
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0993398-6304-4cdf-8a68-72091d68a8fd.vbs"
                                                            10⤵
                                                              PID:2676
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eeb865e-d19e-4d63-b214-22ec8dd9b50d.vbs"
                                                          8⤵
                                                            PID:3040
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd685df6-6b82-45f0-94f0-cf05269c4931.vbs"
                                                        6⤵
                                                          PID:536
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9995948e-2435-48e8-9432-61a8c13d89f3.vbs"
                                                      4⤵
                                                        PID:2180
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsm.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2588
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3016
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1624
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "da302f8b90f36acd84743c7639d4e0d0_NeikiAnalyticsd" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2680
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2720
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "da302f8b90f36acd84743c7639d4e0d0_NeikiAnalyticsd" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2172
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\audiodg.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2480
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\audiodg.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2536
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\audiodg.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2880
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2052
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1280
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1960
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1224
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1120
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2200
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\System.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2356
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2044
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2352
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1036
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2180
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2184
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:352
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1768
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2872
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2760
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1540
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2216
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2096
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:320
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:484
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:712
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2204
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1860
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1808
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1936
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:448
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2440
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1380
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1736
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\audiodg.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1776
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Music\audiodg.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1980
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\audiodg.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1984
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:1608
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:900
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2300
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\wininit.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2996
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\wininit.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2404
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\wininit.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:3036

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\MSOCache\All Users\dllhost.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  b528a71c2481671646f860dc135a024d

                                                  SHA1

                                                  4cb24f495e7dce7bcae557aa4913d4195c53f63a

                                                  SHA256

                                                  748ed4d86d6bcb4b227dbf7ecb7ace18c2e6b7c908606f66be3381d6ea52c4b5

                                                  SHA512

                                                  2bfc97bd9ba092b7378908ed4bb7811c679d5503f92e7a98657717edc14a95611f0145d3e0786de625f3d7fb8ab0247070ffce4261e0694b2abb40385f40572a

                                                • C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  6027e1528af2f4aed482e4edd058f1d0

                                                  SHA1

                                                  809db11e8b38db7a283ffd284d88b25f2ef32209

                                                  SHA256

                                                  695cc40b67b0ea5c6a4c9e9fb432beffbd8ae8a32cc922235e60e4c19271a296

                                                  SHA512

                                                  60cbbd68fa220a067252fdca36c7ad96f00fda8676c4432d2bff5a5df686a4f757c5094bbaf0b25c8686eda366af2a7a0c6c67c1ba13cf3cee90acd58fe7e536

                                                • C:\Program Files\7-Zip\Lang\csrss.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  8df05a7afeb24bfed11bdb7b8ee9d835

                                                  SHA1

                                                  c9b79f99f256ace051d271cb9f7ae318a97f0e8e

                                                  SHA256

                                                  64f8f1e12627588718136a1fc129060de5ba18670ca0528d2994d9fdd2fc9e01

                                                  SHA512

                                                  176c0f696d7994d4c5cb5971157aeaa0881420811bbc58654bcc1e6ee9b5b4435080752672f6f4f3cd7f10d6c1fc5d679fbe6a3c85784dd65aa2ad1c73b3fd23

                                                • C:\ProgramData\Adobe\Updater6\lsass.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  abd23823f040833e541d2388d92643be

                                                  SHA1

                                                  0bddfd22e71d8b700815123d3596d0922f5a55cd

                                                  SHA256

                                                  b5914f66fa2ba100d6b53e5e8dacd7f7b604ee3cf1719b2f81a43e874fbac7ef

                                                  SHA512

                                                  060745e473acd01759b7329d2a7a737272bb9c827d29e15c2fd952267ed84576c90a7a5a4f5519c7828a392ffe570aba3b10cc9633343319ae57f988afc81e8b

                                                • C:\ProgramData\Microsoft Help\lsass.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  1b0cd3fdaee291313ed947fedc264c02

                                                  SHA1

                                                  c32b5afdf5e2dfa594cb18a9de7855076e202cbb

                                                  SHA256

                                                  ed4ed2267d6e48b2f3d1127a258c6fb8566824a93b241586bc65b6a0f25cad7c

                                                  SHA512

                                                  537264646a50262cf0cef79941673ef5beee260e98a1d2a200604f9aa8936dbdc4b195f923d1a049e33735f0c71313b778daad926383904424d8467f18f5cb8f

                                                • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  da302f8b90f36acd84743c7639d4e0d0

                                                  SHA1

                                                  f8fdb617872a6f31fc21b7d7826efba0651077a4

                                                  SHA256

                                                  a22fcf8eea502fd77a86507ef856f97512aeed2006a0d79f122850f5d14dcf9b

                                                  SHA512

                                                  cb2392bfd6277ba436ccf0421baccbae4f2b6ef2ecbcd2c72c95de2e3a820a212cd9c7d3662795290341d9c285e75a8a2111fda8bb1ec296a9772689a9af9646

                                                • C:\Users\Admin\AppData\Local\Temp\3e2015e1-9de3-40d9-9498-5d86330c1ffe.vbs

                                                  Filesize

                                                  709B

                                                  MD5

                                                  6fa848df25aa5fa0c527713c570829f6

                                                  SHA1

                                                  94e8a0815da30796a421e965a32d335330b4570f

                                                  SHA256

                                                  9f05a5224a195a89ac803d85dd7f553d5aec45a26e4275612f19e68b93a958a3

                                                  SHA512

                                                  54e6fceec03681fae00197b8b5278f20aeaeb50db7a4dccb183fee2b57941142ed7d57000981c360ae70c6eaca80f5d6697e18b7a03e505b2fdba21773153d2a

                                                • C:\Users\Admin\AppData\Local\Temp\44147dcb-cc2f-494a-bff0-d297e8ab25e0.vbs

                                                  Filesize

                                                  708B

                                                  MD5

                                                  9a80baf0c7948520c1ce3d9759413ebc

                                                  SHA1

                                                  792dfbead5ceb1aa8c88d6b1cf96e4d37b279afe

                                                  SHA256

                                                  1c6222f5efcbf7d3488f266e997770e3e0a13a8527b8fa68e1f4e9e8e784e6fb

                                                  SHA512

                                                  b1c823d7a5a5bd8cbbb08179a6693bba277c4ecc90058f08eefa35a65ff7c62b15ad71fe01a29d5bc55267f21d37b5f1074a9693f1274808246dda7b0b8ebdeb

                                                • C:\Users\Admin\AppData\Local\Temp\5239759f-5e77-4774-9bf0-9fe579501fcd.vbs

                                                  Filesize

                                                  709B

                                                  MD5

                                                  ea6d199cb3b78accf256018571cc6d33

                                                  SHA1

                                                  832cc1113e6074151147cb6cf3caec8ca26f5878

                                                  SHA256

                                                  4c50e37553760fdde86e45493e77b922807cb69b62aed1f9c78a8f6a5b40e391

                                                  SHA512

                                                  7d5999e850fd65be2a552ba2f54314c1baedcaa3bc8da0269b3231311630358200814a4d56a521370ff4c6f2fe7e70e6892342824fecd539085bdaee4c4d2450

                                                • C:\Users\Admin\AppData\Local\Temp\6b657a66-38ba-4374-a469-85bc2c251b46.vbs

                                                  Filesize

                                                  709B

                                                  MD5

                                                  539f0e1906b9ab4b4806ee993df8fb40

                                                  SHA1

                                                  0f7299c8b54361c24e6dfecadf31af76d75a32f0

                                                  SHA256

                                                  997ce0b447e876370107e3c56fed7180864e0cc408a49429338ac3ac0e962f35

                                                  SHA512

                                                  05c295c5766ae341cf49f03734c037f5bb4c40ce8290ba08fd411e271a8b6ccebb5b39d94736f69c8cc85c91f8dbe0926ae88bc6ecdb758df9d54bc34c2273ce

                                                • C:\Users\Admin\AppData\Local\Temp\6c327601-3250-4502-8e78-7786749bbcb7.vbs

                                                  Filesize

                                                  709B

                                                  MD5

                                                  34010b0d25249015693f72e88a82fd48

                                                  SHA1

                                                  6810b28d142e96b22b9bc2628ee43a6dd8d56abb

                                                  SHA256

                                                  2ff3d5539223f7fe9ce71f4de841393f321f5902beb3249ae8c8dd154f2d1a6e

                                                  SHA512

                                                  54d878f6bf44b216438bf74bb0387229c165a210139880739a49b5c7cd87847a39645b0f9724dbc1c94514f099d18a52c824a0da465386da5ac0f4e38df15d1a

                                                • C:\Users\Admin\AppData\Local\Temp\7104dc35-1082-4716-b98f-7e4dff457c03.vbs

                                                  Filesize

                                                  709B

                                                  MD5

                                                  4b308412cc615a1467d436dd87f36dc2

                                                  SHA1

                                                  7ed2611357f54dcdde32407ceb5da1763fb83de0

                                                  SHA256

                                                  d89509da03abb6b03c87ae00109ac25a73de58ba80bb5a96410caa4ac6c84a76

                                                  SHA512

                                                  f3009ae8772ac58fb8ff4368c4bd2ccba266c2afe76bd9353edabefd99769c617435a7c47939adf866d0463f601da0c1e10604ed454a884ee47c7dec1c5e8ed9

                                                • C:\Users\Admin\AppData\Local\Temp\731d4967-d31e-4e8c-b242-92bb7dbca494.vbs

                                                  Filesize

                                                  708B

                                                  MD5

                                                  c8f230ade386ac9781daafe8826e8483

                                                  SHA1

                                                  901607a8a106006771517728318e9ebddfb35aba

                                                  SHA256

                                                  554cf0a3c31460b65eb085369659f341f3d51b7882b988a0a311322938158405

                                                  SHA512

                                                  41154b1bba1dab378841e8683a6b033493947420594b59f126d538e9619cf7d282e56c6b0c27dbb5efd3ff4bb0820140422bfa77aab3a0b644d9c78ba01b2e7d

                                                • C:\Users\Admin\AppData\Local\Temp\77b8499b-8f07-4007-bea7-7851fdfa0d67.vbs

                                                  Filesize

                                                  709B

                                                  MD5

                                                  6e44c75178e5170640666480dc857337

                                                  SHA1

                                                  b06501084da1b7afde1d069e2eb73bf60f8d9d93

                                                  SHA256

                                                  fd30b7d9c58f3784b646e5e3d66c1cece7f1cc933a771b943c44574adc5ffa69

                                                  SHA512

                                                  66617ff6fb015d54a55f00a15ffcb06520194d7bc45fd68f17b747aec910cd16b5b8b12560f13100b7c047f140eb017dbe7e79ebe8943e70974044c5d5216cdf

                                                • C:\Users\Admin\AppData\Local\Temp\975DOJvBwA.bat

                                                  Filesize

                                                  198B

                                                  MD5

                                                  cb504a7e7f6623c5e851387d470ba840

                                                  SHA1

                                                  c36ad8b77b05da771eb8c1aa3dd83d9353e1e628

                                                  SHA256

                                                  650bfba7cc8044cd48bb463f833ecf7ea2040fa25deb594e5af3d52cb5fac204

                                                  SHA512

                                                  1db39a55e075489c375fba836f3bcd426a7ccb4d9a20a375b54e12e7783a1db66a24a83da148348640208dc970752fbd0e4a453155fc23122167f25dccf66d31

                                                • C:\Users\Admin\AppData\Local\Temp\9995948e-2435-48e8-9432-61a8c13d89f3.vbs

                                                  Filesize

                                                  485B

                                                  MD5

                                                  6bebb880bc70b375b28d1267815307fc

                                                  SHA1

                                                  2c03243d17a8c15423c80cfd4941f5020a232f86

                                                  SHA256

                                                  85c395ace4aa90777846f8921c72ee2cd747b68ce2a7a32061d8dc77c67d28a9

                                                  SHA512

                                                  db016ca7c535b89e58135061fab52e957ef75ec4ce31575980a8ddb74a3b82eacc9bc30d03b9778473937123c1d55400da1e79c37848c99a2307de772000a743

                                                • C:\Users\Admin\AppData\Local\Temp\bba88df0-dab3-4108-aa84-9b58efd0ae1b.vbs

                                                  Filesize

                                                  709B

                                                  MD5

                                                  b0fd80aa93075a62a815e5ae0ef4ed69

                                                  SHA1

                                                  2e8703ec3dc9fa169da6c2ac87d8a01b6dd1c45b

                                                  SHA256

                                                  c64ffbdf0946cb4e0a46063c29b5e79a67e69829044d7d72f8b31c9258b813d9

                                                  SHA512

                                                  8aa0dbceba11eaba5c2903a35b1cec84ff1fc058fc1d7877627d1352f60b74cc231afd99503a445199077d18021bc1667d9658480c348160324db101d9a8b730

                                                • C:\Users\Admin\AppData\Local\Temp\d9d29ded-b1be-4ae0-bd66-9934a6581e61.vbs

                                                  Filesize

                                                  709B

                                                  MD5

                                                  1cce540aa564efff482e0b7bb0e9416a

                                                  SHA1

                                                  743718d05ffa086740305046c24cc383890c7ffd

                                                  SHA256

                                                  34f00fe6ed3154a7b1f933c8247454ffa93fc43e980b7dcf18b03141ffabba6e

                                                  SHA512

                                                  080cfbce3aab9aac447d7e93c30f249b0b0d109eb4ba0da52b677b2bd5abe08a3e9dc363100d0b545d0221c098cf3c5d0c35a57375bda34fc94b36a31eb8d57b

                                                • C:\Users\Admin\AppData\Local\Temp\e2ce8f7a-d2ab-43af-a77d-8256a62ab62a.vbs

                                                  Filesize

                                                  709B

                                                  MD5

                                                  296b5566df2f295ab2228eac2c8718c0

                                                  SHA1

                                                  cf515aeccc1f0dd0d8ff1c580d5079259e0d17cf

                                                  SHA256

                                                  eb6ffb4ce993b12f5d20d67923e1abc7de4daa188a687e67140cb87d9316ec1a

                                                  SHA512

                                                  d568346a1eecb51cef06dea705607714bba5e73d851073a821f3f77bfae867ad829f3a398b4c49277636a3519e29d205f749048c1931454e6d63e1718e1b134e

                                                • C:\Users\Admin\AppData\Local\Temp\ff2f51e7-6311-4120-8bb4-8f30828e7a97.vbs

                                                  Filesize

                                                  709B

                                                  MD5

                                                  39f13f67821e107c5bb7439016a24bfb

                                                  SHA1

                                                  27e07b96d179c81602e738d06b93a31ad9711ac2

                                                  SHA256

                                                  360f2c3d836e9c82e4aebd95fd1490407688b829a28739efc1c7b2a42742d50f

                                                  SHA512

                                                  06d7ad462a20602fbbfbd55e78f04c2e32bd32ec94307e65b08b9eb8f1a34b9f1b769ceabe94eee2c060f888648b70ae636fafacbbba971baf27bbe1ef404796

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  f1668cae22f749bf0ad19f25479f0569

                                                  SHA1

                                                  958111a610c26f39fb0af8aadb07962d8ac9c6c1

                                                  SHA256

                                                  68bd4da53a2c45d2587cc562c5c300e322b0577ada05844624c2d168efdf8cfc

                                                  SHA512

                                                  a183f5a4a05528e57989421a932cc1e719084bd521867f1a0897c3d6d36045c373694caad1b6518ede37c838d4482b292dca9ceed41f242d883c3fce2c10edea

                                                • C:\Users\Default\Music\RCX4586.tmp

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  8a769600a2f9fca385bbc608fac9ce5c

                                                  SHA1

                                                  7cb96efa050b4ce4069e59368207448308960fa4

                                                  SHA256

                                                  7fcc94712003093d6350e47b0b4cdb2703b281eacfb9222ec588483caeef6c2f

                                                  SHA512

                                                  c40ec8a56de495451e0b3d9a481bbbed093fa4fa15dfa8664f26ab6403c8b6389883e7f4d26ff31ba48a665c2580a5a15d716a6016f195a64d1043769d391a9f

                                                • memory/992-333-0x00000000010A0000-0x00000000013DC000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/1260-322-0x0000000000E60000-0x000000000119C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/1280-369-0x00000000002C0000-0x00000000005FC000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/1620-12-0x00000000012C0000-0x00000000012CA000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/1620-31-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1620-26-0x000000001AF20000-0x000000001AF28000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1620-28-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1620-29-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1620-30-0x000000001AFE0000-0x000000001AFEA000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/1620-1-0x00000000012F0000-0x000000000162C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/1620-32-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

                                                  Filesize

                                                  9.9MB

                                                • memory/1620-19-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1620-18-0x000000001AE80000-0x000000001AE92000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1620-17-0x000000001AAA0000-0x000000001AAA8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1620-2-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

                                                  Filesize

                                                  9.9MB

                                                • memory/1620-15-0x000000001AA80000-0x000000001AA88000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1620-25-0x000000001AF10000-0x000000001AF1E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/1620-14-0x00000000012E0000-0x00000000012EC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1620-24-0x000000001AF00000-0x000000001AF0A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/1620-268-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

                                                  Filesize

                                                  9.9MB

                                                • memory/1620-3-0x0000000000980000-0x000000000098E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/1620-4-0x0000000000990000-0x000000000099E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/1620-13-0x000000001AA30000-0x000000001AA86000-memory.dmp

                                                  Filesize

                                                  344KB

                                                • memory/1620-10-0x00000000012B0000-0x00000000012B8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1620-20-0x000000001AEC0000-0x000000001AECC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1620-11-0x00000000012D0000-0x00000000012E0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/1620-22-0x000000001AEE0000-0x000000001AEEC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1620-23-0x000000001AEF0000-0x000000001AEF8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1620-27-0x000000001AF30000-0x000000001AF3E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/1620-16-0x000000001AA90000-0x000000001AA9C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1620-9-0x0000000001290000-0x00000000012A6000-memory.dmp

                                                  Filesize

                                                  88KB

                                                • memory/1620-0-0x000007FEF5323000-0x000007FEF5324000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/1620-21-0x000000001AED0000-0x000000001AEDC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1620-8-0x0000000001280000-0x0000000001290000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/1620-5-0x0000000000A20000-0x0000000000A28000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1620-6-0x0000000001260000-0x000000000127C000-memory.dmp

                                                  Filesize

                                                  112KB

                                                • memory/1620-7-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1676-406-0x0000000000080000-0x00000000003BC000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/1676-407-0x0000000000890000-0x00000000008E6000-memory.dmp

                                                  Filesize

                                                  344KB

                                                • memory/1812-346-0x0000000000BF0000-0x0000000000C02000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1812-345-0x0000000001260000-0x000000000159C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/2268-457-0x0000000000EA0000-0x00000000011DC000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/2480-382-0x0000000000C20000-0x0000000000C76000-memory.dmp

                                                  Filesize

                                                  344KB

                                                • memory/2480-381-0x00000000011B0000-0x00000000014EC000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/2480-383-0x00000000006D0000-0x00000000006E2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2760-444-0x0000000000B90000-0x0000000000ECC000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/2760-445-0x0000000002310000-0x0000000002366000-memory.dmp

                                                  Filesize

                                                  344KB

                                                • memory/2764-420-0x00000000022D0000-0x00000000022E2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2764-419-0x0000000000250000-0x000000000058C000-memory.dmp

                                                  Filesize

                                                  3.2MB

                                                • memory/2860-279-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/2860-280-0x0000000002850000-0x0000000002858000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2936-432-0x00000000000C0000-0x00000000003FC000-memory.dmp

                                                  Filesize

                                                  3.2MB