Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 14:32

General

  • Target

    d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    d67c083b7f55c40deae2ac79549d0a70

  • SHA1

    c47be45497fe044d732a847a21b7b2be0172c8c5

  • SHA256

    ba381b7847ed129aa068cee625f78d7a8ec511a55d55feb86e22159ab43b6357

  • SHA512

    2fb0a24efd4e6349cc1f0f4193ac1b512dcb679478b65f51fb967b6c736192eb0e161e7020756e4a9ce03f89aae7789bac5ce57c0968ee60b095a25654511d6d

  • SSDEEP

    49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
  • Drops file in Program Files directory 40 IoCs
  • Drops file in Windows directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • System policy modification 1 TTPs 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
    • C:\Windows\Fonts\sysmon.exe
      "C:\Windows\Fonts\sysmon.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3476
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faddd38c-ce1b-4671-9b8e-b9ebc2a9cbc2.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4192
        • C:\Windows\Fonts\sysmon.exe
          C:\Windows\Fonts\sysmon.exe
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2492
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07ff5301-3cb1-409a-8ccd-184d8b2912dc.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Windows\Fonts\sysmon.exe
              C:\Windows\Fonts\sysmon.exe
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:5036
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1005c37e-541d-4f19-a03a-bb55c4d01f46.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3756
                • C:\Windows\Fonts\sysmon.exe
                  C:\Windows\Fonts\sysmon.exe
                  8⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:3168
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aad207a3-8e95-4357-b30e-50a06a4d5c45.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4908
                    • C:\Windows\Fonts\sysmon.exe
                      C:\Windows\Fonts\sysmon.exe
                      10⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3396
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69b23107-1c51-4a3a-a353-bfa1ad404d47.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3532
                        • C:\Windows\Fonts\sysmon.exe
                          C:\Windows\Fonts\sysmon.exe
                          12⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:3236
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8af7815c-56d8-4e22-ad73-41edb9d735d5.vbs"
                            13⤵
                              PID:4544
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b541f5d2-5424-47c8-8f8e-d8221f796a35.vbs"
                              13⤵
                                PID:2232
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df06015f-b1d1-499f-99fc-2c83191ac0a8.vbs"
                            11⤵
                              PID:776
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dcf7ad7-b4ff-4c87-a20c-91c3e414def8.vbs"
                          9⤵
                            PID:1292
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\473f913f-e1ea-40d7-a9fd-19d54913f4a6.vbs"
                        7⤵
                          PID:1888
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bb198b2-fa1e-4c96-8ca5-3153e05cc1f8.vbs"
                      5⤵
                        PID:2808
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1f30b00-fc7d-457e-b424-7247b1372cc5.vbs"
                    3⤵
                      PID:4972
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:3148
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:3664
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:396
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\SearchApp.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1732
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\SearchApp.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4812
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\SearchApp.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:5104
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1596
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2544
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2264
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:5064
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:3268
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4192
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\dllhost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1504
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4904
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4516
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1812
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1364
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1884
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:3764
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:3440
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1656
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4220
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:428
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4376
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\backgroundTaskHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1660
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Performance\backgroundTaskHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:5016
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\backgroundTaskHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2688
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1640
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:440
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4784
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\browser\StartMenuExperienceHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1952
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2744
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:624
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\fontdrvhost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1984
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4788
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2256
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\sysmon.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2368
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Fonts\sysmon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:3444
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\sysmon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:3280
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\upfc.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4524
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\ModemLogs\upfc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2324
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\upfc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:3368
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\Camera Roll\spoolsv.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:2412
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\spoolsv.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4928
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Pictures\Camera Roll\spoolsv.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:3312
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:5072
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:1172
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Creates scheduled task(s)
                  PID:4056

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Internet Explorer\images\dllhost.exe

                  Filesize

                  3.2MB

                  MD5

                  d67c083b7f55c40deae2ac79549d0a70

                  SHA1

                  c47be45497fe044d732a847a21b7b2be0172c8c5

                  SHA256

                  ba381b7847ed129aa068cee625f78d7a8ec511a55d55feb86e22159ab43b6357

                  SHA512

                  2fb0a24efd4e6349cc1f0f4193ac1b512dcb679478b65f51fb967b6c736192eb0e161e7020756e4a9ce03f89aae7789bac5ce57c0968ee60b095a25654511d6d

                • C:\Program Files (x86)\Internet Explorer\images\dllhost.exe

                  Filesize

                  3.2MB

                  MD5

                  1320ddaa154d7ab22e2a738a0d6c8d7b

                  SHA1

                  416aea2a6e2378fa7bb5e478c18eeee98f3c13c7

                  SHA256

                  8cef5661fb2f20706ec8a7f0ed3e5e305ebc1a844f9268a45b354ccc6a1b00b5

                  SHA512

                  69e414ee0f5f4ff7c59b7aaaac6d3ba5ef8fbf16ce4a5122224dfb1696153e545128e292f4fe88642f302b183dee248926d6181ae09b73085bba10b562c07a0a

                • C:\Program Files (x86)\Windows NT\Accessories\System.exe

                  Filesize

                  3.2MB

                  MD5

                  be35365662cd9d605fe6617807239ee7

                  SHA1

                  40ad063d455a823dfcc1f1c192895afcf6b43deb

                  SHA256

                  3bf575b3b7a41d712a4f324312ea042d346680d06fdd4ab2aa6f64b7ef500fa2

                  SHA512

                  080d2c458e5c0aca8f4890ac5f99083dc89642fae351c95a5f01035d20cff98890c2c934998548cc78636169e5e751a5ce5b9b2b35c66aadcbab88ffcf7a152e

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

                  Filesize

                  1KB

                  MD5

                  49b64127208271d8f797256057d0b006

                  SHA1

                  b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                  SHA256

                  2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                  SHA512

                  f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  d28a889fd956d5cb3accfbaf1143eb6f

                  SHA1

                  157ba54b365341f8ff06707d996b3635da8446f7

                  SHA256

                  21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                  SHA512

                  0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  59d97011e091004eaffb9816aa0b9abd

                  SHA1

                  1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                  SHA256

                  18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                  SHA512

                  d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  3a6bad9528f8e23fb5c77fbd81fa28e8

                  SHA1

                  f127317c3bc6407f536c0f0600dcbcf1aabfba36

                  SHA256

                  986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                  SHA512

                  846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  2e907f77659a6601fcc408274894da2e

                  SHA1

                  9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                  SHA256

                  385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                  SHA512

                  34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                • C:\Users\Admin\AppData\Local\Temp\07ff5301-3cb1-409a-8ccd-184d8b2912dc.vbs

                  Filesize

                  703B

                  MD5

                  59b03894b9002907c200a1d10f7957c3

                  SHA1

                  569777ee08d2261f0b81c924c2dac91777ea4f1b

                  SHA256

                  2c6aec65bc2e95505a281d2f94a93ca29377a9fa1d1dd59feaeb62a57059924a

                  SHA512

                  0ab91393938f432f9facd2da76f196b3d1fbb7d81a5cb8d898f6e941fb6eabd09d47431ba805890fc4026b731cebbbb49df6636b1ff9b03a73a7650514caec46

                • C:\Users\Admin\AppData\Local\Temp\1005c37e-541d-4f19-a03a-bb55c4d01f46.vbs

                  Filesize

                  703B

                  MD5

                  51b873ff78e40d92791adac1bad9dcc7

                  SHA1

                  5ca65083ce58f18be3ec58637bd7d0233f697af2

                  SHA256

                  af34f882dba555ce9660d712d39ccf24a31bd98b20fb86cc659092d20f06d672

                  SHA512

                  225470ab3aed5fd7f81044f3d5532cb3fb713a213a7ebf0f066d1e97449993f21a00b6952bcfe5b99ca2ab4fab4c7581756823645294cfd22d9f7e25f18e0eb3

                • C:\Users\Admin\AppData\Local\Temp\69b23107-1c51-4a3a-a353-bfa1ad404d47.vbs

                  Filesize

                  703B

                  MD5

                  2813f17aa03f7d8d50b176d36c0b0146

                  SHA1

                  36e714afeca561c30102c250f206cfbbf1bac93c

                  SHA256

                  6882ce12c6821db2faa7c3d03f91322bf17892fa7d247c5903001d1695caf88c

                  SHA512

                  99d588e40c7c63dc540358c693dd486b0195a556162ef0b553195566d15f7cbd7086fb4271f9e948c426b5cc3fcf8b0821d7832f047140cb7eed02f1ab9f6cd7

                • C:\Users\Admin\AppData\Local\Temp\8af7815c-56d8-4e22-ad73-41edb9d735d5.vbs

                  Filesize

                  703B

                  MD5

                  424a972dd4915f5eb186d0155e8639b3

                  SHA1

                  19d0d66ed7ef5fe649cc2409d97db286b0a384be

                  SHA256

                  3af300d7edb6de5434c3c7d3e60b975438d2aaaee4590a1464e74dc51462d2b9

                  SHA512

                  b1b530af486252c375b0a568ec3fc02016dfdbec69f8f5bd2a364aead52e10654751b2e47767af1a203600976acdcf6cda878968f7c1a09a0ee660b8831cfcfa

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sqe0fitq.j1m.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Users\Admin\AppData\Local\Temp\aad207a3-8e95-4357-b30e-50a06a4d5c45.vbs

                  Filesize

                  703B

                  MD5

                  4f4d8fc0c5b7dd35f2c8b5eb55f245f1

                  SHA1

                  5b613d29fabac76c07950ea0a5aff714c07138fe

                  SHA256

                  0cc527021b0e526874d5a21827343c8296aac6963a346dcfd363e2f1080ff081

                  SHA512

                  8e9cb90b8b8169c579ffb9c632764edaed228698cea3ba04070a1f1cab4215c465973f821def779b9737686e92a3487b88ffdf7c11127267e161b9c46c3e097a

                • C:\Users\Admin\AppData\Local\Temp\e1f30b00-fc7d-457e-b424-7247b1372cc5.vbs

                  Filesize

                  479B

                  MD5

                  2b4394d36333629d50679f23b39fc490

                  SHA1

                  07ea3bd6ae02e349f39dd44f22423b3c0c47bc3a

                  SHA256

                  99672768948a9f6043f3700df24b4639e9dce05eb54ce00530e58a65fdcabcde

                  SHA512

                  48ca7e7a6fc0232c4c7db036a1e770e8e0a21f4e0bd2c31205438c8cd890e492cd555582042202f179babe9c9e5eda3014dca5276be68f91d60b1891ab67c4e1

                • C:\Users\Admin\AppData\Local\Temp\faddd38c-ce1b-4671-9b8e-b9ebc2a9cbc2.vbs

                  Filesize

                  703B

                  MD5

                  920405a68fe967b9c82e2446ab0fd6b5

                  SHA1

                  ebc13c2d9f5c7f025597177c818380778cf40b54

                  SHA256

                  0268ab0c269df25056d89fb294825a43148b9ed4836461a0d773b77f6d0783bf

                  SHA512

                  acf02c0978595803ad3913f3a9d4b39cea96c2f8d42d8baacd1d32509352a743a979ba9a4e14bc838b7531e02b48b715d49e98f7bc9e338d83b28ea46038ffba

                • C:\Windows\Fonts\sysmon.exe

                  Filesize

                  3.2MB

                  MD5

                  f4681fa967ba0859ab216a8669ff3b41

                  SHA1

                  835da04c16f96cf0544561e5f812f1f41fd692a4

                  SHA256

                  1c0a754c127a1c4f5c349d2228135d135f0937a5de1a6eabbbdb13702e321517

                  SHA512

                  f34e95c794b9fb842c03ac020bc9249c99d5e7ece3d3a9e8c1e4bbf5f7ce8328919980a82dfe7af5450d61cee550fefba57e839c386c3e781506570b8f2af00d

                • C:\Windows\ModemLogs\upfc.exe

                  Filesize

                  3.2MB

                  MD5

                  54271049ecd01a9872797efa308a5683

                  SHA1

                  7a103af3cdc84fecf1e8610057e0bc199ddbd608

                  SHA256

                  7087ff45692728e6ec8f8e68b4a481645aeb964ac951a0a90059168153b356ed

                  SHA512

                  61f4e148259ce83ab71041dea54c56978448f5143e39de31067e4c2eace89872aa70b4c12071f344930a15d438545c62beafe5f221ac5c86134bdb1ef6e27f54

                • C:\Windows\Performance\backgroundTaskHost.exe

                  Filesize

                  3.2MB

                  MD5

                  f1389e0576e96fc0209a6eb53a780b68

                  SHA1

                  a354c1df46ede577337b093bd9e5b3fbc6e3a18a

                  SHA256

                  9af5678a1b89e4036ad81457b0a5d52264fb20cfba489f4f04ab323b5ed77eed

                  SHA512

                  57ade46a978dde84843b47f18f3d2a229ff8c964e1442c329dccbab593b24cea4241d2ed12500f9649a96a22fddf5c41a8a1c2afe8641f9f909491c9f62b2cc8

                • memory/1040-298-0x000001CDB7AB0000-0x000001CDB7AD2000-memory.dmp

                  Filesize

                  136KB

                • memory/1224-14-0x000000001C320000-0x000000001C376000-memory.dmp

                  Filesize

                  344KB

                • memory/1224-17-0x000000001C490000-0x000000001C49C000-memory.dmp

                  Filesize

                  48KB

                • memory/1224-23-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

                  Filesize

                  48KB

                • memory/1224-24-0x000000001C400000-0x000000001C40C000-memory.dmp

                  Filesize

                  48KB

                • memory/1224-25-0x000000001C410000-0x000000001C418000-memory.dmp

                  Filesize

                  32KB

                • memory/1224-30-0x000000001C460000-0x000000001C46C000-memory.dmp

                  Filesize

                  48KB

                • memory/1224-26-0x000000001C420000-0x000000001C42A000-memory.dmp

                  Filesize

                  40KB

                • memory/1224-32-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1224-34-0x000000001C6E0000-0x000000001C6EC000-memory.dmp

                  Filesize

                  48KB

                • memory/1224-33-0x000000001C480000-0x000000001C48A000-memory.dmp

                  Filesize

                  40KB

                • memory/1224-31-0x000000001C470000-0x000000001C478000-memory.dmp

                  Filesize

                  32KB

                • memory/1224-35-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1224-27-0x000000001C430000-0x000000001C43E000-memory.dmp

                  Filesize

                  56KB

                • memory/1224-29-0x000000001C450000-0x000000001C45E000-memory.dmp

                  Filesize

                  56KB

                • memory/1224-28-0x000000001C440000-0x000000001C448000-memory.dmp

                  Filesize

                  32KB

                • memory/1224-21-0x000000001C3D0000-0x000000001C3DC000-memory.dmp

                  Filesize

                  48KB

                • memory/1224-20-0x000000001C9D0000-0x000000001CEF8000-memory.dmp

                  Filesize

                  5.2MB

                • memory/1224-19-0x000000001C3A0000-0x000000001C3B2000-memory.dmp

                  Filesize

                  72KB

                • memory/1224-18-0x000000001C390000-0x000000001C398000-memory.dmp

                  Filesize

                  32KB

                • memory/1224-22-0x000000001C3E0000-0x000000001C3EC000-memory.dmp

                  Filesize

                  48KB

                • memory/1224-16-0x000000001C380000-0x000000001C388000-memory.dmp

                  Filesize

                  32KB

                • memory/1224-15-0x000000001C370000-0x000000001C37C000-memory.dmp

                  Filesize

                  48KB

                • memory/1224-1-0x0000000000CC0000-0x0000000000FFC000-memory.dmp

                  Filesize

                  3.2MB

                • memory/1224-13-0x000000001C310000-0x000000001C31A000-memory.dmp

                  Filesize

                  40KB

                • memory/1224-12-0x000000001C300000-0x000000001C310000-memory.dmp

                  Filesize

                  64KB

                • memory/1224-411-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1224-0-0x00007FFF7CB13000-0x00007FFF7CB15000-memory.dmp

                  Filesize

                  8KB

                • memory/1224-8-0x000000001BD50000-0x000000001BD58000-memory.dmp

                  Filesize

                  32KB

                • memory/1224-9-0x000000001BD60000-0x000000001BD70000-memory.dmp

                  Filesize

                  64KB

                • memory/1224-10-0x000000001BD70000-0x000000001BD86000-memory.dmp

                  Filesize

                  88KB

                • memory/1224-11-0x000000001BD90000-0x000000001BD98000-memory.dmp

                  Filesize

                  32KB

                • memory/1224-7-0x000000001BDA0000-0x000000001BDF0000-memory.dmp

                  Filesize

                  320KB

                • memory/1224-6-0x000000001BD30000-0x000000001BD4C000-memory.dmp

                  Filesize

                  112KB

                • memory/1224-5-0x000000001BD20000-0x000000001BD28000-memory.dmp

                  Filesize

                  32KB

                • memory/1224-4-0x000000001BC00000-0x000000001BC0E000-memory.dmp

                  Filesize

                  56KB

                • memory/1224-3-0x0000000003210000-0x000000000321E000-memory.dmp

                  Filesize

                  56KB

                • memory/1224-2-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3476-418-0x00000000007C0000-0x0000000000AFC000-memory.dmp

                  Filesize

                  3.2MB