Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 07:43

General

  • Target

    7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    7d51904b084c1d1037f17ed8aaa57a70

  • SHA1

    d2d0d38ca329c1cb2fa955c8fbb3f12cb28fc05d

  • SHA256

    8d23e71c63a93438c953695aa9cc56ca5a8a2b05ad94ba7535698add6dad98e6

  • SHA512

    cb0065905907951367375dde96c9c6e4b27ffa041c4ab870e03744d94ef091010396e77fa6ff26e2b1677e36c7254ee953d23ffa707e1ffe79f939cfd91d8582

  • SSDEEP

    49152:nC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:nC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 24 IoCs
  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 16 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1416
    • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1676
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\048bf34c-d2d9-43b1-b4fc-a1beab3e12e5.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
          "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1788
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc55f815-c192-4012-afed-ec2050c9fd00.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
              "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2856
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5bf4987-de4f-48fe-b8c4-1175fc34a508.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:708
                • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
                  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:2144
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b821b74-d73a-4888-852c-373a3656384c.vbs"
                    9⤵
                      PID:924
                      • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
                        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2412
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255e8bea-5310-4886-91c8-d55f9434765e.vbs"
                          11⤵
                            PID:1540
                            • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
                              "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"
                              12⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:2092
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5aedc89-e535-4572-aaad-2ebe8198bb80.vbs"
                                13⤵
                                  PID:2068
                                  • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
                                    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"
                                    14⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1468
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba23441d-9b88-47af-8863-69160435d031.vbs"
                                      15⤵
                                        PID:3048
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f11a8482-f74a-4e0a-b357-b15678f1ee9b.vbs"
                                        15⤵
                                          PID:472
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cf08891-b2d3-40fc-b803-00a980a49643.vbs"
                                      13⤵
                                        PID:600
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7566dec5-e549-4af3-85e6-b06a2bf69a93.vbs"
                                    11⤵
                                      PID:1676
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f463f9aa-8cbd-4d81-a2da-97788419d389.vbs"
                                  9⤵
                                    PID:2356
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfa4b9a3-4bfc-46d0-8660-2d39514c157a.vbs"
                                7⤵
                                  PID:1584
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9904c07-e2d8-41b6-a7cc-b0954845aa34.vbs"
                              5⤵
                                PID:2016
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fba3d8c5-ca61-488f-a15e-706e4e898e62.vbs"
                            3⤵
                              PID:784
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2432
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2464
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1664
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2820
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1560
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1520
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1568
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2628
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2000
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2704
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:548
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1788
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1736
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:768
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1944
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2828
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:544
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1368
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\RAC\StateData\lsm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2856
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\RAC\StateData\lsm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:644
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\RAC\StateData\lsm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2016
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\services.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3048
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\services.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1332
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\services.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2004
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1852
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1228
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:608
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:708
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:584
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1432
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\services.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1796
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2360
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2156
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2084
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1124
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2924
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:328
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1004
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2572
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1600
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1808
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2244
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:916
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:944
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2952

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
                          Filesize

                          3.2MB

                          MD5

                          ba648fa71f9cbdb85fa39a1d93ac46e0

                          SHA1

                          d7a558b740b8d357b5cb07521b829e2d652d27ce

                          SHA256

                          4040c52d2d8fa26bda4fb27966df06d22b6464e6469e13ef27acec12f910ef6e

                          SHA512

                          31f947b68daf5970f1da2b2a7662ae1d2dd6d2c7343fd637fbdf20183cf3dd221d774ce0acadf727d6e12b0569de7107bee0eb6f35998108e2ec0a780128921c

                        • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
                          Filesize

                          3.2MB

                          MD5

                          def5cc475b4ddbb74591090a003800a0

                          SHA1

                          999536842aa5dded92fbe349e7615371e8af88e7

                          SHA256

                          8e63ade21b522337c0c5f002328e2e736aa1c495a0782e45dbbfec99f9a61e77

                          SHA512

                          700765c73628e38ca224acaf916eab03f0c355754c84b30da6d86fe1400f56984642bf6696d51bf78ee9b4ed14678c658925d183a6c4dc658cc24e3a144c65aa

                        • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe
                          Filesize

                          3.2MB

                          MD5

                          6f4257068187524fd1ee8c16e4c30051

                          SHA1

                          0ff6842342e227d660a6e99d3ceb7cb225f86a34

                          SHA256

                          f4188b8d6a49c212b5a15a2b04f2da9216aef4f504b644552e9dc3e74a17dec7

                          SHA512

                          984f92e344919019a9ce8b9beae3bd44990ff42edc686ecaa44ba4c68c7157f1721bd2df62f6255cb87da7703f6987c325e2ec46603ac96fa72c4799e17179cc

                        • C:\Program Files\Windows Mail\ja-JP\wininit.exe
                          Filesize

                          3.2MB

                          MD5

                          c89375a74a9fe882f2ef549f733a937a

                          SHA1

                          27aa7189430dd79de73e017b3d1c598235038363

                          SHA256

                          b067184b0042fb8a8046d0aa6f19cfd47548f39793f232a243c68f38b3b210ac

                          SHA512

                          e2f64e3a78489d3ef2477839ad922ebf0c7726f8f1132c315db16c34d2bc52d097937fcb54930780b46711b4c79517404d48b1f3cc30e36fb6c8124d12918c27

                        • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe
                          Filesize

                          3.2MB

                          MD5

                          7d51904b084c1d1037f17ed8aaa57a70

                          SHA1

                          d2d0d38ca329c1cb2fa955c8fbb3f12cb28fc05d

                          SHA256

                          8d23e71c63a93438c953695aa9cc56ca5a8a2b05ad94ba7535698add6dad98e6

                          SHA512

                          cb0065905907951367375dde96c9c6e4b27ffa041c4ab870e03744d94ef091010396e77fa6ff26e2b1677e36c7254ee953d23ffa707e1ffe79f939cfd91d8582

                        • C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe
                          Filesize

                          3.2MB

                          MD5

                          9a2cbfc7864b6b50bf38eda58b3ab2ee

                          SHA1

                          7b7223521f787d072988e855845405be1c8b34ab

                          SHA256

                          b5560c76b04fbe092bde21e33fc8aca79960a1a5ea931c499ed2b240586a66dc

                          SHA512

                          58a538d72b01768d26dc11fd2be8ceb7cc90676d7013fe7a4a4e320240cbf7a47665f729ec191534a61c40a7bb357eaed49a0bdcd53751a63139203806e47202

                        • C:\Users\Admin\AppData\Local\Temp\048bf34c-d2d9-43b1-b4fc-a1beab3e12e5.vbs
                          Filesize

                          790B

                          MD5

                          eec05329a4489e1168914c89ba939573

                          SHA1

                          a954d18b320e74474c534336f05a57ab2fb186ce

                          SHA256

                          df3b5aabee4ef9df365d97fdea914b1e9feb1fbfe49133564616af5eca25dcbf

                          SHA512

                          6de010275d201d2260731247a9fb3fdf89161153f8fcde774f2b7839c9714d23cdbe23f6a3df409c663747e890764aa97bbcdbbf14231e1cf3a9f4f92896df08

                        • C:\Users\Admin\AppData\Local\Temp\255e8bea-5310-4886-91c8-d55f9434765e.vbs
                          Filesize

                          790B

                          MD5

                          bf7b7fc7a1258e986f9a33329276e650

                          SHA1

                          8003d1cc2ef8a5432d799fa3eaaf218b7b6a5ecb

                          SHA256

                          9f7363ba0568b3cf416accb9dc7cb03b6b5cdd5e2776ffc55f1234e8df4abe34

                          SHA512

                          f456ed36b7eea4d986f365521ab1066b1bfd07c2dbde31e3e8eaa6c11f32c030a3c49a3e058cd4ba8572ffdd294a0f421ad82d1864b39a16c846e994d10fd154

                        • C:\Users\Admin\AppData\Local\Temp\5b821b74-d73a-4888-852c-373a3656384c.vbs
                          Filesize

                          790B

                          MD5

                          77eae0688b1c831b823ce6255d04d726

                          SHA1

                          16602f7ee28f45211c4922eb8c5b34f2ce4dcd7a

                          SHA256

                          505ce828fbc642a3a9839c33031e1cd7b9354778e0b84f64372f181e1cadd077

                          SHA512

                          fec03c237a534275b5ad856ab5ffe791fd1ca641efddceccd86dd34c318b447712e19d79b7dd6b95e9d1c47413cd2522660716705f454f01eda291265ab9c605

                        • C:\Users\Admin\AppData\Local\Temp\a5aedc89-e535-4572-aaad-2ebe8198bb80.vbs
                          Filesize

                          790B

                          MD5

                          44d77c7fbcc9698a997da96a581a5f3f

                          SHA1

                          80618216f148467a05cfe221941412cdef87330d

                          SHA256

                          26a8d7b812cd4894684c86f330425b8669dcc8eff2c0555dcd5e20545f303d65

                          SHA512

                          ba46b340dda3333cc0c4ac88d8db579d08143d9825e89723af6fa38642cff3bb12417907a0c44de3fb336aa376644fe64cd0b91f2323a0f7c6846b79f3b03213

                        • C:\Users\Admin\AppData\Local\Temp\ba23441d-9b88-47af-8863-69160435d031.vbs
                          Filesize

                          790B

                          MD5

                          30df9ab87ead37b3435954a97a9e266a

                          SHA1

                          6e48d29f69c90226587b5426d0b323bce2454408

                          SHA256

                          a06adb2fb35c447c8ca680ea70430184d8939eadf1db44b3ca96e06eec90da8f

                          SHA512

                          ac76a87d16979b7ae28f04b665095677790eff147ec93cdc4b7f23ac6c1fecb3ac5e424d3110d54bdb9c11242744820948a0d300e6a46309ba3595ea067c6f06

                        • C:\Users\Admin\AppData\Local\Temp\c5bf4987-de4f-48fe-b8c4-1175fc34a508.vbs
                          Filesize

                          790B

                          MD5

                          c18bc3440e02205862eacf58e170b80a

                          SHA1

                          fc5171c630929d4bcd7b770071f1c21b7041d62b

                          SHA256

                          e5bd0b02dbaa2daa0ac4b0c454f5191e89c76384985fc97852e77e7191240469

                          SHA512

                          7f85e647dc004371ab25fcae1612e0f30e1ccc173a446a9a2b3f700a2556d4b69da5f1f15910c0c4f7784cc56ae67f474c89288c603b6ffad0ed0f3c05fb8344

                        • C:\Users\Admin\AppData\Local\Temp\dc55f815-c192-4012-afed-ec2050c9fd00.vbs
                          Filesize

                          790B

                          MD5

                          8ca0246a7c5f631319c83c7ca00d3681

                          SHA1

                          cc058a8273e8fc75972b597d1b3c0924515f60f1

                          SHA256

                          773b4a37b31085ac4dca9de41d2cfa80ba5926b88fe53b44a28eff6f755b45be

                          SHA512

                          0255fe9d161f3d2b76a6ce94c2a166df7af825ff35887ccc682a4e954dad185cdd362f02da5d4cbf5a1b233e955f0a510961512b0505edf96ec66303c7bd05b2

                        • C:\Users\Admin\AppData\Local\Temp\fba3d8c5-ca61-488f-a15e-706e4e898e62.vbs
                          Filesize

                          566B

                          MD5

                          bc816ae6a30d34acd6e670e137a9dfae

                          SHA1

                          a613ba0dae52aca2f7cf227594a502d0d8a062af

                          SHA256

                          3179094968692e22c32a27334edd9dee1fff09017e1fa058f4e1711eede0a003

                          SHA512

                          b5fda4fab2cadfa51decbbda6dc97d4aae1026676d0a97abfccf43d7121cb791d7c3fd638a05321298c166b654cb618b45e8e7100e3ec1af3d001c709c9cd605

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                          Filesize

                          7KB

                          MD5

                          86033fc6ce1eb4bd3294a05064ec5e46

                          SHA1

                          a28587c91c172588142676b3c4b6eccde738442c

                          SHA256

                          42bd54913436eeeb2d8204465a1d83cdad1e7bbc91ee8d977fd5af36d2ace1d4

                          SHA512

                          f6b38b4e69eb7aac954f6cf784e09a9954576eaadd6fb4f4c308955019288a8631265566cbb8f37022d300307c8935eb6e28aa561aa130280e8be3e2da052776

                        • memory/556-256-0x000000001B690000-0x000000001B972000-memory.dmp
                          Filesize

                          2.9MB

                        • memory/1416-261-0x0000000001FC0000-0x0000000001FC8000-memory.dmp
                          Filesize

                          32KB

                        • memory/1468-379-0x00000000008C0000-0x00000000008D2000-memory.dmp
                          Filesize

                          72KB

                        • memory/1468-378-0x00000000001B0000-0x00000000004EC000-memory.dmp
                          Filesize

                          3.2MB

                        • memory/1676-307-0x0000000000800000-0x0000000000B3C000-memory.dmp
                          Filesize

                          3.2MB

                        • memory/1676-309-0x0000000002220000-0x0000000002232000-memory.dmp
                          Filesize

                          72KB

                        • memory/1788-320-0x0000000001380000-0x00000000016BC000-memory.dmp
                          Filesize

                          3.2MB

                        • memory/2092-366-0x0000000001370000-0x0000000001382000-memory.dmp
                          Filesize

                          72KB

                        • memory/2340-14-0x0000000002510000-0x000000000251C000-memory.dmp
                          Filesize

                          48KB

                        • memory/2340-16-0x000000001AB10000-0x000000001AB1C000-memory.dmp
                          Filesize

                          48KB

                        • memory/2340-24-0x000000001AFF0000-0x000000001AFFA000-memory.dmp
                          Filesize

                          40KB

                        • memory/2340-27-0x000000001B130000-0x000000001B13E000-memory.dmp
                          Filesize

                          56KB

                        • memory/2340-26-0x000000001B010000-0x000000001B018000-memory.dmp
                          Filesize

                          32KB

                        • memory/2340-28-0x000000001B1C0000-0x000000001B1CC000-memory.dmp
                          Filesize

                          48KB

                        • memory/2340-29-0x000000001B1D0000-0x000000001B1D8000-memory.dmp
                          Filesize

                          32KB

                        • memory/2340-30-0x000000001B1E0000-0x000000001B1EA000-memory.dmp
                          Filesize

                          40KB

                        • memory/2340-31-0x000000001B1F0000-0x000000001B1FC000-memory.dmp
                          Filesize

                          48KB

                        • memory/2340-33-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp
                          Filesize

                          9.9MB

                        • memory/2340-23-0x000000001B020000-0x000000001B028000-memory.dmp
                          Filesize

                          32KB

                        • memory/2340-22-0x000000001AFE0000-0x000000001AFEC000-memory.dmp
                          Filesize

                          48KB

                        • memory/2340-21-0x000000001AFD0000-0x000000001AFDC000-memory.dmp
                          Filesize

                          48KB

                        • memory/2340-20-0x000000001ABF0000-0x000000001ABFC000-memory.dmp
                          Filesize

                          48KB

                        • memory/2340-19-0x000000001ABE0000-0x000000001ABEC000-memory.dmp
                          Filesize

                          48KB

                        • memory/2340-18-0x000000001ABB0000-0x000000001ABC2000-memory.dmp
                          Filesize

                          72KB

                        • memory/2340-17-0x000000001AB20000-0x000000001AB28000-memory.dmp
                          Filesize

                          32KB

                        • memory/2340-25-0x000000001B000000-0x000000001B00E000-memory.dmp
                          Filesize

                          56KB

                        • memory/2340-15-0x000000001AB00000-0x000000001AB08000-memory.dmp
                          Filesize

                          32KB

                        • memory/2340-308-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp
                          Filesize

                          9.9MB

                        • memory/2340-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp
                          Filesize

                          4KB

                        • memory/2340-13-0x000000001AAB0000-0x000000001AB06000-memory.dmp
                          Filesize

                          344KB

                        • memory/2340-12-0x0000000002500000-0x000000000250A000-memory.dmp
                          Filesize

                          40KB

                        • memory/2340-10-0x00000000006C0000-0x00000000006C8000-memory.dmp
                          Filesize

                          32KB

                        • memory/2340-11-0x000000001AAA0000-0x000000001AAB0000-memory.dmp
                          Filesize

                          64KB

                        • memory/2340-9-0x00000000009B0000-0x00000000009C6000-memory.dmp
                          Filesize

                          88KB

                        • memory/2340-1-0x0000000000280000-0x00000000005BC000-memory.dmp
                          Filesize

                          3.2MB

                        • memory/2340-8-0x00000000006B0000-0x00000000006C0000-memory.dmp
                          Filesize

                          64KB

                        • memory/2340-7-0x0000000000270000-0x0000000000278000-memory.dmp
                          Filesize

                          32KB

                        • memory/2340-6-0x0000000000600000-0x000000000061C000-memory.dmp
                          Filesize

                          112KB

                        • memory/2340-5-0x0000000000260000-0x0000000000268000-memory.dmp
                          Filesize

                          32KB

                        • memory/2340-4-0x0000000000250000-0x000000000025E000-memory.dmp
                          Filesize

                          56KB

                        • memory/2340-3-0x0000000000240000-0x000000000024E000-memory.dmp
                          Filesize

                          56KB

                        • memory/2340-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp
                          Filesize

                          9.9MB

                        • memory/2856-332-0x0000000000510000-0x0000000000566000-memory.dmp
                          Filesize

                          344KB