Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 19:23

General

  • Target

    1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    1553f67a0859a3057cde01f77db9dbc0

  • SHA1

    2cfe40d1fea16093e16c96a35f3240b98da9a5e1

  • SHA256

    a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152

  • SHA512

    4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5

  • SSDEEP

    49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 18 IoCs
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 12 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1560
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZulfStaN0H.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2112
        • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
          "C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2612
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ffff686-4516-46fa-9f0d-2e8ef0881a28.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1956
            • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
              C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2180
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28d0c9de-bce9-431f-b7c4-b0c31daffd5d.vbs"
                6⤵
                  PID:1740
                  • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
                    C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
                    7⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:2740
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ca98162-3d6a-4a27-b81a-fe696b8f376d.vbs"
                      8⤵
                        PID:2272
                        • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
                          C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
                          9⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:2256
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70ce8163-641e-4dd6-9974-4cad816e5fb0.vbs"
                            10⤵
                              PID:2312
                              • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
                                C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
                                11⤵
                                • UAC bypass
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:2496
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1966821b-46e2-4bd3-92f2-7358e42a5a80.vbs"
                                  12⤵
                                    PID:2500
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfd4f19f-9276-44f0-8e38-404f7146c46b.vbs"
                                    12⤵
                                      PID:1852
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\148b7e11-ee7d-4d81-9d9a-eabcd024a733.vbs"
                                  10⤵
                                    PID:2688
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8526f789-beb6-40ef-aee9-a6b5bb5143da.vbs"
                                8⤵
                                  PID:2888
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a34004e5-db2d-4197-a3fe-47162cebb188.vbs"
                              6⤵
                                PID:1576
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\023fb7b8-b690-4d75-b756-fba66941e125.vbs"
                            4⤵
                              PID:1916
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2456
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2404
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2460
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2832
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:3024
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:664
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2364
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:680
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:892
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1712
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1860
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:916
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\dwm.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2468
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2604
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2708
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1788
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1876
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1996
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\services.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1808
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\services.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2216
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\services.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1812
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1972
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2212
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2204
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dllhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1432
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1920
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2928
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1820
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2776
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1496
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2072
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2972
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2016
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:2132
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1784
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1848
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\csrss.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1620
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ShellNew\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1584
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1348
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\smss.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1632
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:1628
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Creates scheduled task(s)
                        PID:820

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe

                        Filesize

                        3.2MB

                        MD5

                        325ab4cde5aecfae8d6ec0b25d8d3b91

                        SHA1

                        9761ef61579af9d336742d9713c97e4f25754fc4

                        SHA256

                        962b6e4d5391f0fb417f483f3da6158cb235348990910b9febb4838795a0220f

                        SHA512

                        25997b198f35f043c635f5cedc2f3c6a680c64d8ca5772d48229f25cc3503ce03ef6070b2c2d8c1a4d203a2fb39e37869d8eee6838ffbedd9c0ef87211bc6cd3

                      • C:\Users\Admin\AppData\Local\Temp\023fb7b8-b690-4d75-b756-fba66941e125.vbs

                        Filesize

                        511B

                        MD5

                        fd89b79f32faf02cd4d131f6f4791064

                        SHA1

                        3261963b0ed0d6266b96e3a00607ce733d5b1361

                        SHA256

                        cc163745e88b36f2b7c651051b417a559e4f796b7f2fc915b973d1311a7910e0

                        SHA512

                        695bbae3fcdce21a58e65043f1797f0113417f3aa096ca4f1ea4b02ac473a93c0c397f816b4b38c3d32893007a9fb044329e47cc68c2bc63948d0959a89f7b08

                      • C:\Users\Admin\AppData\Local\Temp\1966821b-46e2-4bd3-92f2-7358e42a5a80.vbs

                        Filesize

                        735B

                        MD5

                        5a1cfab63fa8629e8415bf53e0ed3c2f

                        SHA1

                        23b44f80af6f3a376030049e67de00cd59dd3a4e

                        SHA256

                        d387f5a447458c34771372eb5ffedede135ed4dece4112ebb5a14a555254bb86

                        SHA512

                        fa5e205632fc2cfd239c8b11bd120f20e3f9f8bd2d79a94af61758d11c8630bed749fc0511eb79239026d58ead7eecd224f48439a910584b6b060def7a45e250

                      • C:\Users\Admin\AppData\Local\Temp\28d0c9de-bce9-431f-b7c4-b0c31daffd5d.vbs

                        Filesize

                        735B

                        MD5

                        f79903abd422c2d05a57205ee5907433

                        SHA1

                        835d541b79cd08c240c6b4898b71f2942fad49ca

                        SHA256

                        4d85ca388a8d39d12bcf3214a39bdf600e045068d0a4b360771f82933135317b

                        SHA512

                        cc1b78918e5352a69ffcd9e65006536090db118a6ba7c82f2652a530cb76083c4c9bf4a7aa0d722e94a7ff4b53ac8bf9885c8cecb2fef7916c1711c32fcae9f0

                      • C:\Users\Admin\AppData\Local\Temp\70ce8163-641e-4dd6-9974-4cad816e5fb0.vbs

                        Filesize

                        735B

                        MD5

                        87716e5f6941d601eee2e1a6652caedc

                        SHA1

                        6aa60dff27d85a70d48e13b2d56e14dfad0de977

                        SHA256

                        12a52b4638715aae2fe948cca42454cab337c1a122415d039de252cf4bec9a20

                        SHA512

                        2f4c7fb0b3dc91caa425a6661dff694a29115e77142a1debea6ce49c960b98ffb89bc92a77897f248b57f22319652d764cb26c8c81c4c8f4e0bfff4b89be2638

                      • C:\Users\Admin\AppData\Local\Temp\7ffff686-4516-46fa-9f0d-2e8ef0881a28.vbs

                        Filesize

                        735B

                        MD5

                        e83026a7357a2e644a6438dcbc26caef

                        SHA1

                        554c63ddbc4fd1e65a8ecc37d1170e45fe009831

                        SHA256

                        b69ea6fd70dd4a4979a7a4b1e0323e697498baf9f4d3ee94162af114f6a5dba0

                        SHA512

                        681b36ae2ab98ddb5395e13add638f954388e67ee65dffa78ddfc50671995af935269e3b6eb2c470b66dff992ee674a220f6acdb47924d323f34e009fb7c91fe

                      • C:\Users\Admin\AppData\Local\Temp\8ca98162-3d6a-4a27-b81a-fe696b8f376d.vbs

                        Filesize

                        735B

                        MD5

                        6cc7946cc438d7ab70de9c1dff330f88

                        SHA1

                        cc022a49a848c30af0680f4780b99eb55c9ff6b8

                        SHA256

                        dc445a3723df2b7f574eb8ff8b367c36c98819788d36599f4eef7fdf9d7d6f20

                        SHA512

                        5fa3424636b72cbcaaaa8d483669147ac950790caf2d3c3db12ef4be9075e89ba97cd393e6f553cfbd13fdd2b3fcd482ee1aadcffb4ea5dbfe1d167e8f17edaa

                      • C:\Users\Admin\AppData\Local\Temp\ZulfStaN0H.bat

                        Filesize

                        224B

                        MD5

                        45195d6b4979756c0ad21b67b9e1831e

                        SHA1

                        82db6ac0e69e5424667955c258e4937baf0749a6

                        SHA256

                        94321fadc372ec3ae98a7c1b86c60301f380d14a5083c5d39d7acdffa4418ad1

                        SHA512

                        7f63b69ec74b94b97409a138a4dbca5b0ac15b25070e09e7bce3c7b695778146307a0322ea769c4f97b3e0a89fd756e85565b873b973030e69bcca765da4a96a

                      • C:\Users\Admin\AppData\Local\Temp\ca1033d37860b7102ff60b8f8b730d81674a1cfb.exe

                        Filesize

                        3.2MB

                        MD5

                        1415988fb81427713469cc9232c1410e

                        SHA1

                        b5ef5fe6d4c8fd6e999fc9c3aba4e248c832abb2

                        SHA256

                        53c5ad2b80527745e383b5e13dc55612089ee5b8f7d618d0e0ed190605f79482

                        SHA512

                        b0492f41e6cf2104958b59eea7a6e58c767e9bb1970b6076bf2bffa17e41071cb897357661da77a185acae0340ac58e71f17c21388eeac42bf8c1e693331c0d9

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                        Filesize

                        7KB

                        MD5

                        fb52e6e949decc6a10e4aa81a379c4a7

                        SHA1

                        068a4772951abb25314c24159cff8214b2ab4269

                        SHA256

                        fed2bdbdb506bca7f2086a718c56a682b9a4de8f1cc8942890ea254fb4f72727

                        SHA512

                        191e474a8cc287f6180a628365b2639a58c8587caac9e173048257a8734d0deba1ac1a45495f6ef72b98bcec1aae99b0ed02ba8e3c38712cdb4c385bc9a9a93c

                      • C:\Users\Default\Downloads\dwm.exe

                        Filesize

                        3.2MB

                        MD5

                        1553f67a0859a3057cde01f77db9dbc0

                        SHA1

                        2cfe40d1fea16093e16c96a35f3240b98da9a5e1

                        SHA256

                        a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152

                        SHA512

                        4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5

                      • C:\Windows\LiveKernelReports\lsass.exe

                        Filesize

                        3.2MB

                        MD5

                        3023d473a232c30ac5508e987117dcfa

                        SHA1

                        b1281d49ec300fbb81b116915205e3df11b22b1e

                        SHA256

                        00580a7b6017eaa317ea0ecb26fb3249cd8b53e5b6e02041f7b4d0790aaa6c7e

                        SHA512

                        0e5147b8c73c986fca106bc9ffeba969392dd88cd6c90e1d8172b730f544ed593731f666d87f5a54693fed9cc120e0f2a597045bbdba04c377f04d8ee5a3b828

                      • memory/664-239-0x00000000022F0000-0x00000000022F8000-memory.dmp

                        Filesize

                        32KB

                      • memory/664-231-0x000000001B230000-0x000000001B512000-memory.dmp

                        Filesize

                        2.9MB

                      • memory/2256-314-0x0000000001000000-0x000000000133C000-memory.dmp

                        Filesize

                        3.2MB

                      • memory/2380-13-0x0000000000520000-0x0000000000576000-memory.dmp

                        Filesize

                        344KB

                      • memory/2380-14-0x0000000002460000-0x000000000246C000-memory.dmp

                        Filesize

                        48KB

                      • memory/2380-17-0x0000000002490000-0x0000000002498000-memory.dmp

                        Filesize

                        32KB

                      • memory/2380-18-0x00000000024A0000-0x00000000024B2000-memory.dmp

                        Filesize

                        72KB

                      • memory/2380-19-0x00000000024B0000-0x00000000024BC000-memory.dmp

                        Filesize

                        48KB

                      • memory/2380-20-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

                        Filesize

                        48KB

                      • memory/2380-21-0x000000001A9F0000-0x000000001A9FC000-memory.dmp

                        Filesize

                        48KB

                      • memory/2380-22-0x000000001AA00000-0x000000001AA0C000-memory.dmp

                        Filesize

                        48KB

                      • memory/2380-23-0x000000001AA10000-0x000000001AA18000-memory.dmp

                        Filesize

                        32KB

                      • memory/2380-25-0x000000001AF50000-0x000000001AF5E000-memory.dmp

                        Filesize

                        56KB

                      • memory/2380-24-0x000000001AF40000-0x000000001AF4A000-memory.dmp

                        Filesize

                        40KB

                      • memory/2380-26-0x000000001AF60000-0x000000001AF68000-memory.dmp

                        Filesize

                        32KB

                      • memory/2380-27-0x000000001AFF0000-0x000000001AFFE000-memory.dmp

                        Filesize

                        56KB

                      • memory/2380-28-0x000000001B000000-0x000000001B00C000-memory.dmp

                        Filesize

                        48KB

                      • memory/2380-29-0x000000001B010000-0x000000001B018000-memory.dmp

                        Filesize

                        32KB

                      • memory/2380-30-0x000000001B020000-0x000000001B02A000-memory.dmp

                        Filesize

                        40KB

                      • memory/2380-31-0x000000001B030000-0x000000001B03C000-memory.dmp

                        Filesize

                        48KB

                      • memory/2380-32-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/2380-15-0x0000000002470000-0x0000000002478000-memory.dmp

                        Filesize

                        32KB

                      • memory/2380-16-0x0000000002480000-0x000000000248C000-memory.dmp

                        Filesize

                        48KB

                      • memory/2380-12-0x00000000004F0000-0x00000000004FA000-memory.dmp

                        Filesize

                        40KB

                      • memory/2380-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

                        Filesize

                        4KB

                      • memory/2380-1-0x0000000000C20000-0x0000000000F5C000-memory.dmp

                        Filesize

                        3.2MB

                      • memory/2380-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/2380-3-0x00000000001B0000-0x00000000001BE000-memory.dmp

                        Filesize

                        56KB

                      • memory/2380-276-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/2380-11-0x0000000000510000-0x0000000000520000-memory.dmp

                        Filesize

                        64KB

                      • memory/2380-10-0x0000000000460000-0x0000000000468000-memory.dmp

                        Filesize

                        32KB

                      • memory/2380-4-0x00000000001C0000-0x00000000001CE000-memory.dmp

                        Filesize

                        56KB

                      • memory/2380-5-0x00000000001D0000-0x00000000001D8000-memory.dmp

                        Filesize

                        32KB

                      • memory/2380-6-0x0000000000400000-0x000000000041C000-memory.dmp

                        Filesize

                        112KB

                      • memory/2380-7-0x00000000001E0000-0x00000000001E8000-memory.dmp

                        Filesize

                        32KB

                      • memory/2380-9-0x0000000000440000-0x0000000000456000-memory.dmp

                        Filesize

                        88KB

                      • memory/2380-8-0x0000000000430000-0x0000000000440000-memory.dmp

                        Filesize

                        64KB

                      • memory/2496-326-0x0000000001220000-0x000000000155C000-memory.dmp

                        Filesize

                        3.2MB

                      • memory/2612-280-0x0000000001260000-0x00000000012B6000-memory.dmp

                        Filesize

                        344KB

                      • memory/2612-279-0x0000000001370000-0x00000000016AC000-memory.dmp

                        Filesize

                        3.2MB

                      • memory/2740-302-0x0000000000040000-0x000000000037C000-memory.dmp

                        Filesize

                        3.2MB