Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 16:24

General

  • Target

    d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    d96af1f18f70dd1401179685f518b060

  • SHA1

    2111cbea44fe1c5af0c3bfd7b48c9de09e769f3e

  • SHA256

    cc692cb560eed095d42301dda9d9825b8b6656123b88164a9fa72724b651d0c8

  • SHA512

    5ef31420588da5afed32d8c0fc6e6dc1742927abe1658a5ffe36cc0e82794b1c03a94a7ba9e8d6d18a6fe82e1deba5c825fde442ffbe0c0e7ce8658ebc317c98

  • SSDEEP

    49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Drops file in Program Files directory 45 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\in2KLgOhRm.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1908
        • C:\Program Files (x86)\Common Files\explorer.exe
          "C:\Program Files (x86)\Common Files\explorer.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1632
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ceafe375-0abb-497f-a952-4d6c04f676be.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Program Files (x86)\Common Files\explorer.exe
              "C:\Program Files (x86)\Common Files\explorer.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2636
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6ca795b-343c-49bf-84d1-9e80a04268e4.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2304
                • C:\Program Files (x86)\Common Files\explorer.exe
                  "C:\Program Files (x86)\Common Files\explorer.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1508
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8cb4794-11eb-4df8-983d-20a1ef8014f8.vbs"
                    8⤵
                      PID:812
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76e91a14-3198-48c2-9223-6279937d43b2.vbs"
                      8⤵
                        PID:2068
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d961c263-cddb-4e23-a452-d54bec58cc26.vbs"
                    6⤵
                      PID:1540
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4943d02a-22e7-4b41-aea2-6406a6163081.vbs"
                  4⤵
                    PID:2192
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2920
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2604
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2552
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\dwm.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2472
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2368
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2696
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1052
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2416
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2724
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2784
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2780
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:612
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1612
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1976
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1848
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2216
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1872
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1276
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1584
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2188
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:624
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1436
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2128
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2108
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2024
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2648
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2976
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2104
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2956
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:324
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1032
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:588
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1480
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "d96af1f18f70dd1401179685f518b060_NeikiAnalyticsd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1380
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "d96af1f18f70dd1401179685f518b060_NeikiAnalytics" /sc ONLOGON /tr "'C:\MSOCache\All Users\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1796
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "d96af1f18f70dd1401179685f518b060_NeikiAnalyticsd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1836
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1208
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1152
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2028
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1768
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1996
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1616
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1028
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:916
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:932
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2376
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2948
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:780
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:604
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1908
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2012
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\wininit.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2040
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2084
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1604

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\MSOCache\All Users\RCX2F72.tmp

              Filesize

              3.2MB

              MD5

              1b1714bac4f627d1769016a1717c643c

              SHA1

              2ca0858b164a325b66c57c7767ded01b9eed4d08

              SHA256

              a5167fa16c1ea630355300b06b8bc5ebdddf48a2f086fe83f89cca33b01c253e

              SHA512

              df1f1ed405019e4942c4d08703f7dd48f35c95976c27623e95f305362cea769579fb5fff52e044f73c3a8ce1950452d5d792f9349b8610429e6fbce695250bd6

            • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe

              Filesize

              3.2MB

              MD5

              bebea6e3ba1977435aee586a2806e37e

              SHA1

              1528146da2456465519484479cd52ed34fdb015f

              SHA256

              1042b21760cdb8580bb3976e1a98d264459580dc9729830e50deea45021e4e92

              SHA512

              1d8c750ff8eea176bc6bb3728b3397104da569a386857cf783e3306a02b4c0fb7cbc53788550b3481f76851b0d819182eb1b9f962115d4aab27ca5c77ddc570d

            • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe

              Filesize

              3.2MB

              MD5

              ef0d1de9745028444813b3e4ae790604

              SHA1

              baf2482ec616e41571383dcec1a74da02d3da386

              SHA256

              1a2c2f0bfabe7ba39074859978c36ae99e3687476b984dfc65c7b197eda93095

              SHA512

              bc18d305524e6fae19b469a29314c1d128a2b71fd6df6adf71b8a5ebc83ff4c5238d4e830b189aa91193f755c89816cd10535518a570667bf9ac08b81f714595

            • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe

              Filesize

              3.2MB

              MD5

              8e18dbca8d56bf6af117afb870ea6323

              SHA1

              2bd630f2220a14d8580fd244de438735aee07ebe

              SHA256

              ffbf70373e8a471d16268ce18353021c8835dde61f6f66f2b84a65ddcea7aed2

              SHA512

              a1130a5cd09512d7992bc251d55aa5959eb0374a468306e22faab965128557f2b4d08e3dd1d92024b3e049f668211b41edadf05c43fb81c389a8b6417a4b86ff

            • C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe

              Filesize

              3.2MB

              MD5

              d96af1f18f70dd1401179685f518b060

              SHA1

              2111cbea44fe1c5af0c3bfd7b48c9de09e769f3e

              SHA256

              cc692cb560eed095d42301dda9d9825b8b6656123b88164a9fa72724b651d0c8

              SHA512

              5ef31420588da5afed32d8c0fc6e6dc1742927abe1658a5ffe36cc0e82794b1c03a94a7ba9e8d6d18a6fe82e1deba5c825fde442ffbe0c0e7ce8658ebc317c98

            • C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe

              Filesize

              3.2MB

              MD5

              a4dc042a79c198e8eed774604ada5713

              SHA1

              9136f47ae7f02d8f5569bca13effdb87faf7d57f

              SHA256

              6cfad97fcf955b449f2acfa106d419eec13058489ebfc34a27ea63a1813448ca

              SHA512

              1afd5f5ed6b76e7a43855b7038d1497730ee8030b41f1b05091ac9f218633528889fc0e2b0dcae3e31e6efaf869f35bd2206223f3b0ab416920bdc0d943712dc

            • C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe

              Filesize

              3.2MB

              MD5

              dba4a22533a36142458421bc04dec249

              SHA1

              caafd86aed2e81d2b3acdbf8e4bb8cf022dead95

              SHA256

              8f184d55e83ca88f9591a1405fc0316f5c3adfff304d19c26cac7b5c749dbd5f

              SHA512

              e3e44da964605002de435029af13f5e144f120a576fa41aadd7ec01fb47bb10ea7f894dc20935cbb9a2854b879131f43f2b98efed8c273a642012f5eb9384230

            • C:\Users\Admin\AppData\Local\Temp\4943d02a-22e7-4b41-aea2-6406a6163081.vbs

              Filesize

              500B

              MD5

              47cf4a07a01cc9df9699e67b7d401232

              SHA1

              1e26d5363cf5a1bcb62cbc61b6d6a5401c6ff088

              SHA256

              0821b191359c952ddb8b8f8321b3f21f669ad40b058823335fb3e16c349bba07

              SHA512

              4a26905203bbfb55082932b06a7b70956daf696cb1164be6c91fe4b7dfd572e98a63cc208f4b36bb5afa8a80d8eab9eac2fc463510a75f2776dddaa5b22cb8a4

            • C:\Users\Admin\AppData\Local\Temp\c6ca795b-343c-49bf-84d1-9e80a04268e4.vbs

              Filesize

              724B

              MD5

              7deeceee1997a31cca899febaa61dd3f

              SHA1

              0439648e019b01b9c3cc3d837a51baae3a341389

              SHA256

              2cc993f8b10c62edb2627fd815f82fbf5f58ada0492cad1b6720c1ac8dec74c9

              SHA512

              cb2456ce34723b76b32eb4677988268e6b6ecea71490ea1d629c23c82894ca886cc3a8ed366ab04d76aed091e12b4b4525c48bb3d767ca99cd632a53bfea9d4b

            • C:\Users\Admin\AppData\Local\Temp\ceafe375-0abb-497f-a952-4d6c04f676be.vbs

              Filesize

              724B

              MD5

              1881d126adc0770c904ca1634090639a

              SHA1

              8466dae668f6290c4004d6aebe6b3e57970336b1

              SHA256

              6d23e29db8d2fe6308fc7937474732c5e2475e441bc0e4a377d35841813528dc

              SHA512

              eaf4c61402c72836c423891f4f5024b06d6791c4dc30bfceac9fec2a1e70c75255305dd0d00b094ed919b2090cab3ded205d7f13db15646e29dce982399891d2

            • C:\Users\Admin\AppData\Local\Temp\e8cb4794-11eb-4df8-983d-20a1ef8014f8.vbs

              Filesize

              724B

              MD5

              d30b8d1cb9b49bc333bb40ca1d881d7d

              SHA1

              187e4e1e388270c5c7a3753548bc2ca2994360a2

              SHA256

              c914d42ff418afb660361ac35ff5ee350e59d67b7b1e9d86169d4a51987a88f5

              SHA512

              74aa3b2a3da41ef8bab2277f7dd27923bb5540427de21a342d3b01ba5d1a79eb1467a83e3a48a644286924d7aee1222dfe104e82441f694640c4690dcc4aa80b

            • C:\Users\Admin\AppData\Local\Temp\in2KLgOhRm.bat

              Filesize

              213B

              MD5

              59623ce557cc5c7923d5ea53a55477f8

              SHA1

              7aa15a413c3e28bdf2bc6feff4589290c618a97b

              SHA256

              8c280b76d7dbabf865e07b2f7be73c5856fb4b023ede0802f0cee4ce2bf41aee

              SHA512

              1342a64c51f8d0efe61de2bfdbd89cfbc04147f95cdab6bcdfd61ebf8aac61cee7b2c8fb3eaa0fafeb4dfbbc1ee727a425a83264d9633245a6bd5c8cee0a9736

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

              Filesize

              7KB

              MD5

              91f1590577a7348a3ea1845a150e8b3c

              SHA1

              9190600dde3c212bfc768dd8139eae89bfb9a959

              SHA256

              7595464968fdf94db3cb55e8f45a5e4db5c811a2d68014060f51f70a655c3822

              SHA512

              06f5e0b09a4a5e23c048bfc416faba6d5106b06c6ee34084b3695e56762ee4dc10f3feb34950c896e102f86a372d52a5729cbe055dac68975342fb4034ae9b6f

            • C:\Windows\Microsoft.NET\wininit.exe

              Filesize

              3.2MB

              MD5

              b145d4a6c36ea250856c967124ea3cbc

              SHA1

              96014f4313b13ba7ae87291865375bc534792002

              SHA256

              fd657a08a7fa46736e0c4531c492f14cc1c1544e483235f3c5ab04c23cfbe8ed

              SHA512

              5a1eab15c548e1ca0255de33e4e94505f7e24ab172833937ec32fa9af8a72ed4f95d5c801cf4d778f8741f3661e45c4e4724df29664823c8019dd7696a0565b2

            • memory/1368-311-0x000000001B690000-0x000000001B972000-memory.dmp

              Filesize

              2.9MB

            • memory/1632-344-0x0000000001280000-0x00000000015BC000-memory.dmp

              Filesize

              3.2MB

            • memory/1632-345-0x0000000000D90000-0x0000000000DE6000-memory.dmp

              Filesize

              344KB

            • memory/1632-346-0x0000000000BF0000-0x0000000000C02000-memory.dmp

              Filesize

              72KB

            • memory/1664-322-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

              Filesize

              32KB

            • memory/2068-13-0x0000000002370000-0x00000000023C6000-memory.dmp

              Filesize

              344KB

            • memory/2068-16-0x0000000000960000-0x000000000096C000-memory.dmp

              Filesize

              48KB

            • memory/2068-21-0x0000000002560000-0x000000000256C000-memory.dmp

              Filesize

              48KB

            • memory/2068-22-0x0000000002570000-0x000000000257C000-memory.dmp

              Filesize

              48KB

            • memory/2068-23-0x000000001AEA0000-0x000000001AEA8000-memory.dmp

              Filesize

              32KB

            • memory/2068-25-0x000000001AE40000-0x000000001AE4E000-memory.dmp

              Filesize

              56KB

            • memory/2068-24-0x0000000002580000-0x000000000258A000-memory.dmp

              Filesize

              40KB

            • memory/2068-26-0x000000001AE50000-0x000000001AE58000-memory.dmp

              Filesize

              32KB

            • memory/2068-27-0x000000001AEB0000-0x000000001AEBE000-memory.dmp

              Filesize

              56KB

            • memory/2068-28-0x000000001AF40000-0x000000001AF4C000-memory.dmp

              Filesize

              48KB

            • memory/2068-29-0x000000001AF50000-0x000000001AF58000-memory.dmp

              Filesize

              32KB

            • memory/2068-30-0x000000001AF60000-0x000000001AF6A000-memory.dmp

              Filesize

              40KB

            • memory/2068-31-0x000000001AF70000-0x000000001AF7C000-memory.dmp

              Filesize

              48KB

            • memory/2068-32-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

              Filesize

              9.9MB

            • memory/2068-19-0x0000000002440000-0x000000000244C000-memory.dmp

              Filesize

              48KB

            • memory/2068-18-0x0000000000B20000-0x0000000000B32000-memory.dmp

              Filesize

              72KB

            • memory/2068-17-0x0000000000970000-0x0000000000978000-memory.dmp

              Filesize

              32KB

            • memory/2068-20-0x0000000002550000-0x000000000255C000-memory.dmp

              Filesize

              48KB

            • memory/2068-15-0x0000000000950000-0x0000000000958000-memory.dmp

              Filesize

              32KB

            • memory/2068-14-0x0000000000940000-0x000000000094C000-memory.dmp

              Filesize

              48KB

            • memory/2068-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

              Filesize

              4KB

            • memory/2068-12-0x0000000000920000-0x000000000092A000-memory.dmp

              Filesize

              40KB

            • memory/2068-11-0x0000000000930000-0x0000000000940000-memory.dmp

              Filesize

              64KB

            • memory/2068-284-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

              Filesize

              9.9MB

            • memory/2068-10-0x0000000000910000-0x0000000000918000-memory.dmp

              Filesize

              32KB

            • memory/2068-9-0x00000000008F0000-0x0000000000906000-memory.dmp

              Filesize

              88KB

            • memory/2068-8-0x00000000008E0000-0x00000000008F0000-memory.dmp

              Filesize

              64KB

            • memory/2068-7-0x0000000000730000-0x0000000000738000-memory.dmp

              Filesize

              32KB

            • memory/2068-6-0x00000000008C0000-0x00000000008DC000-memory.dmp

              Filesize

              112KB

            • memory/2068-5-0x0000000000720000-0x0000000000728000-memory.dmp

              Filesize

              32KB

            • memory/2068-4-0x0000000000710000-0x000000000071E000-memory.dmp

              Filesize

              56KB

            • memory/2068-3-0x0000000000700000-0x000000000070E000-memory.dmp

              Filesize

              56KB

            • memory/2068-1-0x0000000000240000-0x000000000057C000-memory.dmp

              Filesize

              3.2MB

            • memory/2068-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

              Filesize

              9.9MB

            • memory/2636-357-0x0000000001150000-0x00000000011A6000-memory.dmp

              Filesize

              344KB