Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 13:07

General

  • Target

    dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    dfe2a7d1e80181a3fcf84a7c0b0c44c0

  • SHA1

    6bde52ed399d07d43a24c4a03d0abb25dea6df96

  • SHA256

    a0bbb5f5a121166366ca545b1b37d4a6b9d54562212cdef13bb052e7c342577c

  • SHA512

    fa9e812e795218f05cf158c0d13a50b485439afa9ba5ec3780e3b820c3d793cdbbe24bdadc9048eff33fa70948d0129c070c2e29fc8cc79adf5cbdca89509c66

  • SSDEEP

    49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 13 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1072
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TKtqFLH7pF.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2596
        • C:\Windows\SchCache\csrss.exe
          "C:\Windows\SchCache\csrss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:432
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70065346-a271-4ee1-9a08-92feaef7df7d.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2072
            • C:\Windows\SchCache\csrss.exe
              C:\Windows\SchCache\csrss.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2044
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0f1fa0d-ab13-47b1-8f17-d75dd077fe08.vbs"
                6⤵
                  PID:2808
                  • C:\Windows\SchCache\csrss.exe
                    C:\Windows\SchCache\csrss.exe
                    7⤵
                      PID:2068
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdbd9ccf-67d6-495f-990e-74297931c3d3.vbs"
                    6⤵
                      PID:1896
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a53ab0e8-09e9-4882-8c3c-114bf9f971da.vbs"
                  4⤵
                    PID:840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2384
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2400
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2456
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3044
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1004
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1716
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:112
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1332
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2280
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2652
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2712
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2804
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1120
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1124
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1912
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2324
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1672
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:852
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2136
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1624
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2304
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2004
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2024
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2476
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2772
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2008
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Links\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2892
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1104
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:620
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2960
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3032
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1928
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1604
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1168
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:752
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\audiodg.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1480
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1520
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2800
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1052
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:684
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:272
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1632
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1392
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2808
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1512
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2736
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1564
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2056
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1560
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1704

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

              Filesize

              3.2MB

              MD5

              0f0932cc83a88d529c97ea16a944c529

              SHA1

              066a197a26039b912eac8822ef6e43a49d14f934

              SHA256

              adf0c84724c5736d6f09ad45eec08665395f0d7e423af0866ef275b29ff5690a

              SHA512

              ae6ec7bb1355d54cb0b8e38ec2cefffdd0bdb37a53ca5d66bcbd436f933b0f4db397cf1ae139f171898c4f44fbf96e0e881754eb95d678d585dbc9e8784e1bc6

            • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe

              Filesize

              3.2MB

              MD5

              254965aec9e293ef890482ddc1263c09

              SHA1

              75b11eeca2fd136611c2ef740696292d8ab7dd0b

              SHA256

              8a677dfc059baafa7918a416092a3ce73e0bca483575b440ae5164981740ad56

              SHA512

              523c4a3bc3457d6bcc349aaa8cf415569f6c170bcacf3a49f36b912f051be7f4cd2520c21dbabfe442efbd82be9a5962fc2ea5688b10e0b4b09df044e1c7d9c5

            • C:\Program Files (x86)\Windows Mail\lsass.exe

              Filesize

              3.2MB

              MD5

              e65c49d1409478ab2a2f876935676d1c

              SHA1

              5299a2ca1b1684e3412660ea5e2c617a6db64b7d

              SHA256

              c6278e9b20c2d92901c9f499f6a4b26df0d044f3a14278e958968e239c818a12

              SHA512

              9995f3b50c7f38013413397a1f2c149ff10a64dd82ec77927241b98952f88fb827ebfca9d1e066746dedb579dc9f65adbfb3153523345274d1989815ffb5f0f1

            • C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe

              Filesize

              3.2MB

              MD5

              ac3b711d26ab5d47339ba56a3f2ca8b0

              SHA1

              000daecd8c71bde7ced451aa6503151c0c4b742b

              SHA256

              7b26c5ee0bba3268e878e184e457f118e491ccd150d199722f5734ebade710e8

              SHA512

              2329f8f1b8ffa450512d9171f76c556744405ce32489407f5c6774f033ea516ab9a77493e4a118ebd7b3200641d21d1b7fde29c69e3109c23831e54fa10d44b2

            • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe

              Filesize

              3.2MB

              MD5

              dfe2a7d1e80181a3fcf84a7c0b0c44c0

              SHA1

              6bde52ed399d07d43a24c4a03d0abb25dea6df96

              SHA256

              a0bbb5f5a121166366ca545b1b37d4a6b9d54562212cdef13bb052e7c342577c

              SHA512

              fa9e812e795218f05cf158c0d13a50b485439afa9ba5ec3780e3b820c3d793cdbbe24bdadc9048eff33fa70948d0129c070c2e29fc8cc79adf5cbdca89509c66

            • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe

              Filesize

              3.2MB

              MD5

              ec3c8529f53de3016d96ba3b39d566d5

              SHA1

              50a406c0fda9507ca6a1863772cedd5980637028

              SHA256

              438e28ae477e5e8cea0d10f973c122da9f1a40107986d0c6fe580ae2993422b2

              SHA512

              344b42018c9484f1edff0bc32c97a708e54afda6235d739f462a63f7b370873ffe0a96d71ba890a6949767b457d3e8b758a49c9799be782091073b2c339cfd87

            • C:\Users\Admin\AppData\Local\Temp\70065346-a271-4ee1-9a08-92feaef7df7d.vbs

              Filesize

              704B

              MD5

              078b0fe2ee198ad7f8fcff6dbdffa8f4

              SHA1

              bd451fbebf6464ed0ee28125bd4a2ce1267a7a76

              SHA256

              1528be5c5d29bad8d31a12f3dffc4fd9d999e766dec23a2231fabbb3658317f6

              SHA512

              45dff2be3402d380264a2b63259d6a6d32644dfb570def2dad4ee91b68a77df0c59f24f074ab325b143406ded641d80926dbe1deae582ff2b2dac3b5efce1474

            • C:\Users\Admin\AppData\Local\Temp\TKtqFLH7pF.bat

              Filesize

              194B

              MD5

              a5fc9e9eeefa069166a3a00921d194ce

              SHA1

              ff993e20e901174e650c4a292de076c583a39084

              SHA256

              47f82225f39ca3494011dd602cf5337184e7a1abe7a2b82ac9d240eeef15e69a

              SHA512

              c842528919dbd44d3a7fc4dbe7c50cfc78cfb5ee12ec040074a4b0c7250188830899a0665d7464f0a8a583ce2e9d7422a76ba7cabea8d7f5b6c27d9801ac88f1

            • C:\Users\Admin\AppData\Local\Temp\a53ab0e8-09e9-4882-8c3c-114bf9f971da.vbs

              Filesize

              481B

              MD5

              df3fb3269f892af7750e21be4466c729

              SHA1

              7d64dc005f5a8314a222c66158d1106655cddb7f

              SHA256

              6d8f527f976983b44a10219b18c9dba8df66fe4ac9e5f5e64ec85b5f6afae0a4

              SHA512

              e1e23f9b4923ed9abcfb83ffa9636faa9a009732dc89ec65320e74ea6bbd089b6870ea72b8e920e42d7c7076116e3fd716d92c5e3283b8c03fbdd9b92cbc612e

            • C:\Users\Admin\AppData\Local\Temp\c0f1fa0d-ab13-47b1-8f17-d75dd077fe08.vbs

              Filesize

              705B

              MD5

              bcb708f940352d0ce1c84f5f9a841f48

              SHA1

              0d9578f02dab4115a00d748497deddc7ac8958b2

              SHA256

              11ac33004bc6613e858054574d8882f7c98342d732e07b496bf267803b03d805

              SHA512

              27ff46ede3713119dcfc144f5cc8bcb64acc9bf9ac7e747f9355c3e6ce1d770884fc1ab28103d51d364482ed63061bb2ff2771a11d82033c5f6bee18800e1a8b

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

              Filesize

              7KB

              MD5

              9be6a88a0068976c359b3092a784a433

              SHA1

              c157cc1dcd3e55410bff94f3b65802f8d8d766a6

              SHA256

              6ba09d33d95b597d83db23f43e2738596c040a5223774d3ccf76ede7e0ce7947

              SHA512

              b1fa15866c3a7cfc7d2443357b1e1145a28596a4cb43fd03bd6ce3d556c4c81ceb34cabf390b11bae5e0294c7da88d592ab3655f434964c1074c4c6dfdfec09e

            • C:\Users\Admin\audiodg.exe

              Filesize

              3.2MB

              MD5

              2f56320196b3797aebbd020e68c8ae52

              SHA1

              2487c0309624aa78f2f49987a080cdbe01b634e3

              SHA256

              34e35366f01e70ace6f226c00880fda031fb712adcb51a8c9c36d12c00e96b5d

              SHA512

              c501cf99123c85985de2107ce6896c7e5aa5974a0e4e875eb7ee2e362385e5f6874179cd5cbbaaa020cb246ab6731c70b137f4c3e39fe3029eefa1f8ae3b02de

            • C:\Windows\SchCache\csrss.exe

              Filesize

              3.0MB

              MD5

              42caa506b4038361a7edb49b03aefa65

              SHA1

              85e5b80faeb469ef93a59760f0f9eec281afa07a

              SHA256

              ee64b21ea6ae3425382934df8b352da664bb7ba64784591cca7b037d55812624

              SHA512

              d6d5b9c01dbb1a2c7eddc49a9d926e83df9e87d5adf49b2310edbbad6fa87249b39f81321da76c873d0a0d83c03e4f2aab5b164f4305a9441a5247d2dc6a65f7

            • C:\Windows\ShellNew\spoolsv.exe

              Filesize

              3.2MB

              MD5

              42c05ec9ea2e024d335bf5c524ac1ad0

              SHA1

              d36904f19cd84db1e934536546ae1e09c5711134

              SHA256

              1ba6dc66c1806d6381a98057c77aa89dff23c6e4d532b7eb9f155f8aacc65c0e

              SHA512

              50859215d120343ce02a1add25567e5908471f444a6a68db9a9f314c194d9cfa92fa2ced781ccbbfb121b15c97675ef09786d279445cb3423cd80f26267dca43

            • memory/432-337-0x0000000000BC0000-0x0000000000C16000-memory.dmp

              Filesize

              344KB

            • memory/432-338-0x0000000000B30000-0x0000000000B42000-memory.dmp

              Filesize

              72KB

            • memory/432-336-0x00000000011F0000-0x000000000152C000-memory.dmp

              Filesize

              3.2MB

            • memory/1728-280-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

              Filesize

              2.9MB

            • memory/1752-281-0x0000000002410000-0x0000000002418000-memory.dmp

              Filesize

              32KB

            • memory/2044-349-0x0000000000200000-0x000000000053C000-memory.dmp

              Filesize

              3.2MB

            • memory/2068-361-0x0000000000380000-0x00000000006BC000-memory.dmp

              Filesize

              3.2MB

            • memory/2184-14-0x0000000000B80000-0x0000000000B8C000-memory.dmp

              Filesize

              48KB

            • memory/2184-17-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

              Filesize

              32KB

            • memory/2184-25-0x0000000001260000-0x000000000126E000-memory.dmp

              Filesize

              56KB

            • memory/2184-24-0x0000000001250000-0x000000000125A000-memory.dmp

              Filesize

              40KB

            • memory/2184-23-0x0000000001240000-0x0000000001248000-memory.dmp

              Filesize

              32KB

            • memory/2184-26-0x0000000001270000-0x0000000001278000-memory.dmp

              Filesize

              32KB

            • memory/2184-27-0x0000000001280000-0x000000000128E000-memory.dmp

              Filesize

              56KB

            • memory/2184-28-0x0000000001290000-0x000000000129C000-memory.dmp

              Filesize

              48KB

            • memory/2184-29-0x00000000012A0000-0x00000000012A8000-memory.dmp

              Filesize

              32KB

            • memory/2184-30-0x00000000012B0000-0x00000000012BA000-memory.dmp

              Filesize

              40KB

            • memory/2184-32-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

              Filesize

              9.9MB

            • memory/2184-31-0x00000000012C0000-0x00000000012CC000-memory.dmp

              Filesize

              48KB

            • memory/2184-37-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

              Filesize

              9.9MB

            • memory/2184-21-0x0000000001220000-0x000000000122C000-memory.dmp

              Filesize

              48KB

            • memory/2184-20-0x0000000000D90000-0x0000000000D9C000-memory.dmp

              Filesize

              48KB

            • memory/2184-19-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

              Filesize

              48KB

            • memory/2184-18-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

              Filesize

              72KB

            • memory/2184-22-0x0000000001230000-0x000000000123C000-memory.dmp

              Filesize

              48KB

            • memory/2184-16-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

              Filesize

              48KB

            • memory/2184-15-0x0000000000B90000-0x0000000000B98000-memory.dmp

              Filesize

              32KB

            • memory/2184-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

              Filesize

              4KB

            • memory/2184-13-0x0000000000AB0000-0x0000000000B06000-memory.dmp

              Filesize

              344KB

            • memory/2184-12-0x0000000000A90000-0x0000000000A9A000-memory.dmp

              Filesize

              40KB

            • memory/2184-11-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

              Filesize

              64KB

            • memory/2184-10-0x0000000000A80000-0x0000000000A88000-memory.dmp

              Filesize

              32KB

            • memory/2184-333-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

              Filesize

              9.9MB

            • memory/2184-9-0x0000000000630000-0x0000000000646000-memory.dmp

              Filesize

              88KB

            • memory/2184-8-0x0000000000620000-0x0000000000630000-memory.dmp

              Filesize

              64KB

            • memory/2184-7-0x0000000000600000-0x0000000000608000-memory.dmp

              Filesize

              32KB

            • memory/2184-6-0x00000000005E0000-0x00000000005FC000-memory.dmp

              Filesize

              112KB

            • memory/2184-5-0x00000000005D0000-0x00000000005D8000-memory.dmp

              Filesize

              32KB

            • memory/2184-4-0x00000000005C0000-0x00000000005CE000-memory.dmp

              Filesize

              56KB

            • memory/2184-3-0x00000000005B0000-0x00000000005BE000-memory.dmp

              Filesize

              56KB

            • memory/2184-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

              Filesize

              9.9MB

            • memory/2184-1-0x00000000012F0000-0x000000000162C000-memory.dmp

              Filesize

              3.2MB