Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 15:29

General

  • Target

    e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    e349210264df2c9c8513e938aa1f3940

  • SHA1

    e689f7221e0954c75e760d5103723c021b82eebb

  • SHA256

    4d520afba4c682d393f2979de1abea0e96ec9f84f2b1d0164b57eea4eea15175

  • SHA512

    93fb466f6a853c227ebf88ed5586d509e4982f6b0c6e6dce7343c38e887a5c5e5f9b3484d70c7d64b3bdff50a2a93bb73ce7e6a4f6eb4ee8960052248db08b99

  • SSDEEP

    49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1072
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5aHV7JTKGb.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2880
        • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
          "C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2920
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88d6643c-1c32-4cb2-ac5c-835ca516018b.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2836
            • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
              C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1128
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c5f9120-874d-4592-adf9-28dad0f4f728.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2088
                • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                  C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:892
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0691a621-351c-4329-a175-6ff3e0e6cb75.vbs"
                    8⤵
                      PID:1288
                      • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                        C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:1348
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c75006b-6bf2-4c39-af40-b75eedf8863f.vbs"
                          10⤵
                            PID:1604
                            • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                              C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:952
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d777272d-2e32-4c3b-9479-5c54a82d058b.vbs"
                                12⤵
                                  PID:1840
                                  • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                    C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2724
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d98a413e-6e9e-4ac8-8e39-c09a15ff1e0f.vbs"
                                      14⤵
                                        PID:2188
                                        • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                          C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:1380
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36e9956a-823e-4fc7-83e6-650a72d7fe55.vbs"
                                            16⤵
                                              PID:2624
                                              • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                                C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:2548
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac724b0-6d26-4e2c-803d-fee9a339a226.vbs"
                                                  18⤵
                                                    PID:2792
                                                    • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                                      C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                                      19⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:3000
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eea7e8ad-dafe-4f5a-9f3a-35850fda8351.vbs"
                                                        20⤵
                                                          PID:1640
                                                          • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                                            C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                                            21⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:2988
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a057145-b7a3-4298-80db-9d12830dc7ee.vbs"
                                                              22⤵
                                                                PID:1784
                                                                • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                                                  C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:1748
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86025ee7-4dbd-4f75-97d9-29c9e6a7b805.vbs"
                                                                22⤵
                                                                  PID:1948
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\200553f5-2a17-483c-944b-6ff2508c20f5.vbs"
                                                              20⤵
                                                                PID:536
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89c1fea0-d71b-451d-b12c-0666a8631601.vbs"
                                                            18⤵
                                                              PID:644
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53e38331-93bc-4af7-b358-256bae17fe6c.vbs"
                                                          16⤵
                                                            PID:1564
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5fe9278-9572-4cc6-af15-4dad7e18ec63.vbs"
                                                        14⤵
                                                          PID:2352
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c87b5ce9-93e3-4e6a-8f21-c873a246ef5e.vbs"
                                                      12⤵
                                                        PID:1560
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5be379ca-007c-48fb-b870-5b7d2be66120.vbs"
                                                    10⤵
                                                      PID:2148
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3c15762-b7f4-4b15-be67-bdecf9b519d5.vbs"
                                                  8⤵
                                                    PID:872
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d8aa18-d177-4acc-9eac-4f14cac5a3a7.vbs"
                                                6⤵
                                                  PID:2124
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91a01db5-f4c4-4eb2-814d-3764b79dcf51.vbs"
                                              4⤵
                                                PID:376
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2580
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2768
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2648
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2432
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2540
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3004
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2292
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:764
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2488
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2656
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2740
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1776
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2308
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1804
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1580
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1568
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1628
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2392
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\it-IT\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2340
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2336
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\it-IT\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1332
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1224
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2920
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2904
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2284
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2404

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe

                                          Filesize

                                          2.9MB

                                          MD5

                                          e349210264df2c9c8513e938aa1f3940

                                          SHA1

                                          e689f7221e0954c75e760d5103723c021b82eebb

                                          SHA256

                                          4d520afba4c682d393f2979de1abea0e96ec9f84f2b1d0164b57eea4eea15175

                                          SHA512

                                          93fb466f6a853c227ebf88ed5586d509e4982f6b0c6e6dce7343c38e887a5c5e5f9b3484d70c7d64b3bdff50a2a93bb73ce7e6a4f6eb4ee8960052248db08b99

                                        • C:\Users\Admin\AppData\Local\Temp\0691a621-351c-4329-a175-6ff3e0e6cb75.vbs

                                          Filesize

                                          735B

                                          MD5

                                          ae55e56d74343b28ed5c5a57f8c59dcf

                                          SHA1

                                          4b311279fc5f5a89295fec16718ac286a712719a

                                          SHA256

                                          d72506ab3a8d09edfad22e5c74966c7a0056ebb1e4f4d873fc6d16e621478502

                                          SHA512

                                          9d2913c518d2c075ef0bd9bc383c538076a7bfc28257596655fb1f084292b5d6cacf85d567f9607bb5f800d547be5cdd22886260839a6df022d4e9a94beeaa39

                                        • C:\Users\Admin\AppData\Local\Temp\36e9956a-823e-4fc7-83e6-650a72d7fe55.vbs

                                          Filesize

                                          736B

                                          MD5

                                          9892efb9aac788bfc2be912e35b34a3a

                                          SHA1

                                          e4d03117331b725d46e70f68a40c688f161a29da

                                          SHA256

                                          51f8b6b7416037646748ec44eadf00dfedf0f6299b0ee809f2f191329b0e780e

                                          SHA512

                                          33d799664ac0e0b6b799f1e755c09d6a83fe7378f1e94abcf88f76c7e27e29ffe93cf930509abc9e072b3f27d05255f8beba1e1a1f8e5cdad908adaea40da7c9

                                        • C:\Users\Admin\AppData\Local\Temp\4ac724b0-6d26-4e2c-803d-fee9a339a226.vbs

                                          Filesize

                                          736B

                                          MD5

                                          767097a56fb53c8bd7c82c81ecadf80c

                                          SHA1

                                          b1c46b104479e1624fc722c72d4d61eac5414042

                                          SHA256

                                          38f2a229dc9a36a017804d7048d75c912cf7f15f80658d2c69681782014874ef

                                          SHA512

                                          c0ad1b9a094310ffe3524ab01451c747eb17b607420ed60f4b708a03ab94a8f573f52f9b4745b34352d558dc292c785188c7d7b5bedf0bcf8f11370d88d88abe

                                        • C:\Users\Admin\AppData\Local\Temp\5aHV7JTKGb.bat

                                          Filesize

                                          225B

                                          MD5

                                          08ca394f19216c4072e53eb9bfe4b206

                                          SHA1

                                          88db3ce7a2b632791e3e2e5383123735d2df7c33

                                          SHA256

                                          c7b3c9421de28399ac365496ab4bc5ccfeddc670eeaa5b3c5017526453fd6306

                                          SHA512

                                          69c726cab8843d9a6161646376c2a051399574c88c5a3dd3849f577e23bcd6eef1756342f7eec62940b3e2282f49348d01c5756973b167f7dfed97ed0dd4e36c

                                        • C:\Users\Admin\AppData\Local\Temp\5c5f9120-874d-4592-adf9-28dad0f4f728.vbs

                                          Filesize

                                          736B

                                          MD5

                                          d727d46a2792a7cbdac8d69bce2c93be

                                          SHA1

                                          15108b49429efe4b21b33ce23622bd57f70561db

                                          SHA256

                                          b175f49088d915951258badd4ea30e3f810179ab119e0a955c43bdb560e55844

                                          SHA512

                                          4b0261e9f619837439c556b85aad825a5f2346aa1b741840045f231b4ee3f55e173eabd74978e4b24c60674104d2899cc6f11f3958ecd29233c3d4701bbaee12

                                        • C:\Users\Admin\AppData\Local\Temp\5c75006b-6bf2-4c39-af40-b75eedf8863f.vbs

                                          Filesize

                                          736B

                                          MD5

                                          98ccd5bab3ad4e25b8c60db7dc3d68eb

                                          SHA1

                                          6200c6b686a32ae40e8c0038bca0bd597adfae25

                                          SHA256

                                          56e7344230028884641f23dca3d289c5658b9078c3133b5dced372ce853528d9

                                          SHA512

                                          e8c8052eeba3ae0a98a3ab81a25c48756e82250aceacb8cc63b8f5f9e655a5d846d1ff98b9e458cd9d4095f6522cdb298bb9b44b0732748ac65d32b07b167a9d

                                        • C:\Users\Admin\AppData\Local\Temp\88d6643c-1c32-4cb2-ac5c-835ca516018b.vbs

                                          Filesize

                                          736B

                                          MD5

                                          5f1da4466d26e59e6fd6f182ab8575c3

                                          SHA1

                                          7f77ff9ebbeff22d7cda63ca304282c28678a7c2

                                          SHA256

                                          3b4cb4a90c6c89ca58c966a7f0b8b5a13218ca0c970aec3dea2cc00942bcd24a

                                          SHA512

                                          e1362fad0b9d2dd0c9f9f0bd69b35608891df562d420267d298a68b0ef685bec5b9b76883b20e026dcf6cf0e1b837a63051fbf877aac3deb9b21084a1e92366f

                                        • C:\Users\Admin\AppData\Local\Temp\91a01db5-f4c4-4eb2-814d-3764b79dcf51.vbs

                                          Filesize

                                          512B

                                          MD5

                                          1ab79a3abbdb0a16f048f0dbfdc3df8c

                                          SHA1

                                          ed0ad2389a4f19c81b1a576393d38909217753fa

                                          SHA256

                                          782662a94ee2807770376c09a058efb40be59a7f7fa134c6d3d74ba32c21db06

                                          SHA512

                                          5ff33b05d55dab21e737692dd0285ccb595a735511723dec61a134ded904c9adc08ae9aa655641f911c2e57ca3e1f9dffc1fd0a22fb371e3875ddcf1e131b931

                                        • C:\Users\Admin\AppData\Local\Temp\9a057145-b7a3-4298-80db-9d12830dc7ee.vbs

                                          Filesize

                                          736B

                                          MD5

                                          d524d0d59de7558afb656aafe6ed0336

                                          SHA1

                                          23b820e3d30c6d872e893648079ec7fcc21c838d

                                          SHA256

                                          b3bbba763cd17a5c3a2112dc61a0024973dd2ea789e12bc457acadfd25530acd

                                          SHA512

                                          7c90f6611f5fd4a95502f05949f49cf3143b333d0798aa45003043e37b4b4fffdfac87df4f1a690289b6f6c8d2f6df3923ac8b35fd64950a8e4f3cc541b4e2c0

                                        • C:\Users\Admin\AppData\Local\Temp\d777272d-2e32-4c3b-9479-5c54a82d058b.vbs

                                          Filesize

                                          735B

                                          MD5

                                          81e565bfcf432f83b4b5823a98cb522c

                                          SHA1

                                          a8f0460c7514243b0b157dcaf8cabf0bca7592b7

                                          SHA256

                                          7b2f236f13b78e3cb07d404efab5163f4234b5cb3ac9288bcc4af5c0036a9927

                                          SHA512

                                          33cb99e5b087bbfa6871e7a99420b7a588ed5dc23dd22184731f9760b7c7ad361adf4297b2877d5c911aacc3783ac1d8c3942844c7ff7229f210dafec0b10acf

                                        • C:\Users\Admin\AppData\Local\Temp\d98a413e-6e9e-4ac8-8e39-c09a15ff1e0f.vbs

                                          Filesize

                                          736B

                                          MD5

                                          d59c51b0fecd913e4c9f43ff46002fdc

                                          SHA1

                                          abaa3d041bfe582f967a644e7cffb159961225d8

                                          SHA256

                                          b40ad32fc79fed0d975c94ac93678b6cd752d2dc40a20cf003543ba8601017ca

                                          SHA512

                                          0548aaf9c0f3b05f1f30f29d00905dbaca513aa4fc3809b4ade4be2b61734eb214ef4b705676cc86b709a5d8490c6ef1ca89cb5c4c09bdcdfe047a65178cea03

                                        • C:\Users\Admin\AppData\Local\Temp\eea7e8ad-dafe-4f5a-9f3a-35850fda8351.vbs

                                          Filesize

                                          736B

                                          MD5

                                          47b74c448fb3e6b4495b8f0583de62c3

                                          SHA1

                                          7e78213c03db78aad93d8d6c5fdbbd8ce3152d86

                                          SHA256

                                          745bf75519064ddbc0e6d97b162ca8e4dbdc2e46cfb06b42a96b361fe9280517

                                          SHA512

                                          9dc130bb31825f8f2c53aef67f3eba0b10ef1169b737a544db1e48754d3bc27f6d5e73ffe340589f9c6e53559a5c3c37e35da7d9d8dd9f985d644afea713c229

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          ca2b20db3ee39ff237186048ba77e8df

                                          SHA1

                                          408480acaea807a294c0937355205f565e83e860

                                          SHA256

                                          82794cae42f2af66c6cc110553a08e14289de93fb03d67d8163822ea39ef9dba

                                          SHA512

                                          8197bf3c2b13e2d2800aa184a02207b34f70df7cbcbbd8dc975ea01aaa9aaba1e599f06f7addf86faed357a1917272a8d4ab2fb28406ea1c58b8d7832f9de1d9

                                        • C:\Windows\Resources\csrss.exe

                                          Filesize

                                          2.9MB

                                          MD5

                                          aca376d1fbbdae37ac12118021977309

                                          SHA1

                                          a582a859522127e76a84c662eb45f2e183ae9a2a

                                          SHA256

                                          6b3049abaf104e0347b315c6aaf50b806afc2d6f3fd8874df9bda232397cf5a0

                                          SHA512

                                          e23eeb47146cf2ecf66953e13d20e87c638e6115a2d41ebfecc2cecbc207ae5fbe1b70f9d2e039005988d1cf875216e63b2d64dec0adf7086e9c23886ab4743f

                                        • memory/892-207-0x0000000000D10000-0x0000000000D66000-memory.dmp

                                          Filesize

                                          344KB

                                        • memory/952-231-0x0000000000BF0000-0x0000000000ED6000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/952-232-0x0000000002490000-0x00000000024A2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1128-195-0x0000000001330000-0x0000000001616000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1348-219-0x0000000000090000-0x0000000000376000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1484-131-0x0000000000490000-0x0000000000498000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1484-130-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1748-304-0x0000000000990000-0x00000000009A2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2548-267-0x00000000000E0000-0x00000000003C6000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2724-244-0x0000000001190000-0x0000000001476000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2872-11-0x000000001AF20000-0x000000001AF76000-memory.dmp

                                          Filesize

                                          344KB

                                        • memory/2872-4-0x00000000004F0000-0x00000000004F8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2872-15-0x000000001A850000-0x000000001A862000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2872-124-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

                                          Filesize

                                          9.9MB

                                        • memory/2872-14-0x000000001A840000-0x000000001A84C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2872-25-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2872-24-0x000000001AFB0000-0x000000001AFBA000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/2872-13-0x000000001A830000-0x000000001A838000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2872-19-0x000000001AED0000-0x000000001AEDE000-memory.dmp

                                          Filesize

                                          56KB

                                        • memory/2872-12-0x000000001A820000-0x000000001A82C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2872-17-0x000000001A990000-0x000000001A998000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2872-23-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2872-10-0x0000000002300000-0x000000000230A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/2872-9-0x00000000022F0000-0x0000000002300000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2872-8-0x00000000022E0000-0x00000000022E8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2872-22-0x000000001AF90000-0x000000001AF9C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2872-6-0x00000000022B0000-0x00000000022C6000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/2872-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2872-21-0x000000001AF80000-0x000000001AF8E000-memory.dmp

                                          Filesize

                                          56KB

                                        • memory/2872-7-0x00000000022D0000-0x00000000022D8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2872-20-0x000000001AF70000-0x000000001AF78000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2872-5-0x0000000002220000-0x0000000002230000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2872-16-0x000000001A980000-0x000000001A988000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2872-18-0x000000001AEC0000-0x000000001AECA000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/2872-3-0x00000000004D0000-0x00000000004EC000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/2872-1-0x00000000008A0000-0x0000000000B86000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2872-2-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

                                          Filesize

                                          9.9MB

                                        • memory/2920-184-0x0000000000D80000-0x0000000001066000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2988-291-0x0000000000110000-0x00000000003F6000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2988-292-0x0000000002470000-0x0000000002482000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3000-279-0x00000000000F0000-0x00000000003D6000-memory.dmp

                                          Filesize

                                          2.9MB