Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 19:11

General

  • Target

    13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe

  • Size

    1.2MB

  • MD5

    13479ce2adfeb68235431878761f2bd0

  • SHA1

    becd3db1ddb9494d64b2f8f28ca9dcfea5afdbb2

  • SHA256

    56eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7

  • SHA512

    597d1bb3e5f090bd098bcf52ba37e132175e6c29161ba1e8398875c8de230ceb3efe47f88f435b639a8ec73fd3d0a559df072b0bf4b0b9e934540f58f9615785

  • SSDEEP

    24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 48 IoCs
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Checks whether UAC is enabled 1 TTPs 32 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3932
    • C:\Program Files\7-Zip\Lang\Registry.exe
      "C:\Program Files\7-Zip\Lang\Registry.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5744
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22156452-dd09-45d4-ae18-fd6468af8618.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Program Files\7-Zip\Lang\Registry.exe
          "C:\Program Files\7-Zip\Lang\Registry.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1048
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edddfa33-8d6c-4487-9834-32ab63455058.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3004
            • C:\Program Files\7-Zip\Lang\Registry.exe
              "C:\Program Files\7-Zip\Lang\Registry.exe"
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3804
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43558a0e-9894-454a-83f2-95e0e533ae46.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4568
                • C:\Program Files\7-Zip\Lang\Registry.exe
                  "C:\Program Files\7-Zip\Lang\Registry.exe"
                  8⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:5740
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f570ebb3-f735-446a-9597-d206b5e8df81.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:768
                    • C:\Program Files\7-Zip\Lang\Registry.exe
                      "C:\Program Files\7-Zip\Lang\Registry.exe"
                      10⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:4916
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a91b942-8f96-497f-9b95-2f34cf54b281.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5248
                        • C:\Program Files\7-Zip\Lang\Registry.exe
                          "C:\Program Files\7-Zip\Lang\Registry.exe"
                          12⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:5016
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ebf0c7d-dfb4-4ce6-acdb-1d47ac45e193.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1064
                            • C:\Program Files\7-Zip\Lang\Registry.exe
                              "C:\Program Files\7-Zip\Lang\Registry.exe"
                              14⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:2236
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\928849f6-b62b-4353-93a4-65195f33776c.vbs"
                                15⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5420
                                • C:\Program Files\7-Zip\Lang\Registry.exe
                                  "C:\Program Files\7-Zip\Lang\Registry.exe"
                                  16⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:3724
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0321a02f-68ac-4324-b0a9-06f3d20bccec.vbs"
                                    17⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4924
                                    • C:\Program Files\7-Zip\Lang\Registry.exe
                                      "C:\Program Files\7-Zip\Lang\Registry.exe"
                                      18⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      • System policy modification
                                      PID:4068
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d97f5c2-c923-4e22-b4d0-0af6a22d542f.vbs"
                                        19⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:3396
                                        • C:\Program Files\7-Zip\Lang\Registry.exe
                                          "C:\Program Files\7-Zip\Lang\Registry.exe"
                                          20⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          • System policy modification
                                          PID:4836
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a52c5b0-c5e6-4d0e-99e9-e3e82331636f.vbs"
                                            21⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:6080
                                            • C:\Program Files\7-Zip\Lang\Registry.exe
                                              "C:\Program Files\7-Zip\Lang\Registry.exe"
                                              22⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              • System policy modification
                                              PID:6088
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ce2bb3b-bd5c-4fd7-9b03-934eab621c02.vbs"
                                                23⤵
                                                  PID:792
                                                  • C:\Program Files\7-Zip\Lang\Registry.exe
                                                    "C:\Program Files\7-Zip\Lang\Registry.exe"
                                                    24⤵
                                                    • UAC bypass
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:944
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\729371c2-3b9d-425f-9ab6-60a8c1336f82.vbs"
                                                      25⤵
                                                        PID:1188
                                                        • C:\Program Files\7-Zip\Lang\Registry.exe
                                                          "C:\Program Files\7-Zip\Lang\Registry.exe"
                                                          26⤵
                                                          • UAC bypass
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Modifies registry class
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:5700
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3645f0ef-38bc-4604-ac6b-f46cd364f500.vbs"
                                                            27⤵
                                                              PID:5704
                                                              • C:\Program Files\7-Zip\Lang\Registry.exe
                                                                "C:\Program Files\7-Zip\Lang\Registry.exe"
                                                                28⤵
                                                                • UAC bypass
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Modifies registry class
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • System policy modification
                                                                PID:2664
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e9772b-728d-44fd-8d90-e49a9341260e.vbs"
                                                                  29⤵
                                                                    PID:4472
                                                                    • C:\Program Files\7-Zip\Lang\Registry.exe
                                                                      "C:\Program Files\7-Zip\Lang\Registry.exe"
                                                                      30⤵
                                                                      • UAC bypass
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Checks whether UAC is enabled
                                                                      • Modifies registry class
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • System policy modification
                                                                      PID:3928
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\509c55a2-1419-478b-bc45-d46afe969a49.vbs"
                                                                        31⤵
                                                                          PID:2720
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c75efd7-ce06-4b93-b63c-fc329a85f255.vbs"
                                                                          31⤵
                                                                            PID:5740
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4259106-d483-4c9d-80d7-c3bd084f8d2d.vbs"
                                                                        29⤵
                                                                          PID:5092
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8bfe4e5-da60-40d5-aa2f-e3ce31515ea4.vbs"
                                                                      27⤵
                                                                        PID:1080
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93c7d8ad-045c-47cc-b5ac-ca86f6a91077.vbs"
                                                                    25⤵
                                                                      PID:1924
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67ccac60-e583-4dcc-a3d7-6d90ceaaf2b7.vbs"
                                                                  23⤵
                                                                    PID:5300
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77ab77e7-e027-43b3-9f2b-6da20bd1081e.vbs"
                                                                21⤵
                                                                  PID:4692
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46c99728-7af6-42e6-966e-c0bf7d5d1484.vbs"
                                                              19⤵
                                                                PID:5852
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b10cb25-52ef-437e-be81-3147ccd658de.vbs"
                                                            17⤵
                                                              PID:1524
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9411737-7236-4cae-983a-8853648e90e0.vbs"
                                                          15⤵
                                                            PID:4380
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50e90164-3b1e-4891-b467-f21280e63dea.vbs"
                                                        13⤵
                                                          PID:1424
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae57892e-9043-401e-ac3e-00b4cb3d1f59.vbs"
                                                      11⤵
                                                        PID:4336
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65147756-6be1-4248-81fb-46a297fef56b.vbs"
                                                    9⤵
                                                      PID:5132
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\219e93eb-bc33-4eb7-90fe-9b81c3f339e6.vbs"
                                                  7⤵
                                                    PID:5612
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dd23086-0c42-4795-84a1-cc49d687287e.vbs"
                                                5⤵
                                                  PID:2940
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d24feec2-5af4-48d0-91a4-8a0d15778e7a.vbs"
                                              3⤵
                                                PID:3240
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4072
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3808
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4144
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\debug\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4352
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1956
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\fontdrvhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4064
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:676
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\MusNotification.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4332
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\de-DE\MusNotification.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4636
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\MusNotification.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3804
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3720
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2452
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Templates\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3052
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2388
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5608
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2740
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3128
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5336
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5712
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5472
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5328
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2680
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4392
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5752
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5448
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2560
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1056

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Program Files\7-Zip\Lang\RCX4B48.tmp

                                            Filesize

                                            1.2MB

                                            MD5

                                            0d56c034ffddff97cdb77bc7cbf2c386

                                            SHA1

                                            b1540f11fcbaa3ba79274ccd6c0ef56db0bb5fe6

                                            SHA256

                                            2e1406fb07a07d1e4601044624be0c40e9f884992332deaa36b2845759f86a11

                                            SHA512

                                            67fc1da5d777816cc305a93f1553504be4062e843ea760d6103a9c1e611c3ea6c3ba95975577da82c6ae06b353240ab0e0832c717fb45902f425ac8f69a1d1eb

                                          • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe

                                            Filesize

                                            1.2MB

                                            MD5

                                            13479ce2adfeb68235431878761f2bd0

                                            SHA1

                                            becd3db1ddb9494d64b2f8f28ca9dcfea5afdbb2

                                            SHA256

                                            56eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7

                                            SHA512

                                            597d1bb3e5f090bd098bcf52ba37e132175e6c29161ba1e8398875c8de230ceb3efe47f88f435b639a8ec73fd3d0a559df072b0bf4b0b9e934540f58f9615785

                                          • C:\Recovery\WindowsRE\smss.exe

                                            Filesize

                                            1.2MB

                                            MD5

                                            f425cb616327e2e8ee96d7de2ac16af9

                                            SHA1

                                            8963c8363d40a79b61581896f681f1cf8c225135

                                            SHA256

                                            28d2ac277953c6b1457c6537f4aa9d8c76ea961989a41bb9e6b76587391bf2a3

                                            SHA512

                                            71a3c39c383fa8aa87457b574679b7c92ee5ef1b18468b762c217a566fedbd401eefa850148d381d755eaa83455504561c8103ab9d6cbbe41526089ff4c109ee

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

                                            Filesize

                                            1KB

                                            MD5

                                            3690a1c3b695227a38625dcf27bd6dac

                                            SHA1

                                            c2ed91e98b120681182904fa2c7cd504e5c4b2f5

                                            SHA256

                                            2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

                                            SHA512

                                            15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

                                          • C:\Users\Admin\AppData\Local\Temp\0321a02f-68ac-4324-b0a9-06f3d20bccec.vbs

                                            Filesize

                                            716B

                                            MD5

                                            01a51e79ae684e001a089d04884ffa5e

                                            SHA1

                                            0a86a443ee73bc9179383ca8fa1d893913f13b66

                                            SHA256

                                            d338090569224029bf5f3e03d426a6e87da4d14fddbee211da93e912fd0fcc40

                                            SHA512

                                            b0c3f3e6a49ce2ce8c35d04085ad12ae49c4389ae27af5dc1c2935e3e3d9cb14fba16f84185a52ccaeca13e58763eb63fc814e96279a94b45538167d9fc69c1d

                                          • C:\Users\Admin\AppData\Local\Temp\1ebf0c7d-dfb4-4ce6-acdb-1d47ac45e193.vbs

                                            Filesize

                                            716B

                                            MD5

                                            2e35f11b6044c947f0ddf7bc9711409c

                                            SHA1

                                            91f5c041fc231970a76e30cde68d010ff9222125

                                            SHA256

                                            0c01d844c8cfb3f903430f5aef5ffdebed7674ccfe5dd1236852faca86c26550

                                            SHA512

                                            d3afe806f4cb2db0030411596269ba4a8a75432b47414750b059e59540dbdf90db28dd2adf7a504c320e4ca300c8150650aad78f485518d63a5bddf5c40d709a

                                          • C:\Users\Admin\AppData\Local\Temp\22156452-dd09-45d4-ae18-fd6468af8618.vbs

                                            Filesize

                                            716B

                                            MD5

                                            8982751a52218176daa002eb88424080

                                            SHA1

                                            c16a3baeb42db26cadcd156e7b82d027403a3a20

                                            SHA256

                                            0b879fddb1f86cac5cc6fcd34b7564e93377cbddae0962613900fe14aee4ccdd

                                            SHA512

                                            98456a577bef5a83bf3a743f84131bf2b753af0892aca45643303845ea7f03d7b4b11c490631bd033d8645468d2402c96f0dcde393914766d9d0f0bde78ad23e

                                          • C:\Users\Admin\AppData\Local\Temp\3645f0ef-38bc-4604-ac6b-f46cd364f500.vbs

                                            Filesize

                                            716B

                                            MD5

                                            652400cc6edfdd560d4fc763fd0e4d81

                                            SHA1

                                            3f992b5a5d229684806bd849b4747a8fd4e7b1cb

                                            SHA256

                                            6203b62bc53ab5dd1fbb9e811c47572c9f97ac3fddd6f9958704b8a616140c52

                                            SHA512

                                            9b057ab61649217bcd11ba55e1db6aa7a8d5a203f198bb8efc23e5341441c7e2efb2d0de70cf49366ae7cc87d94bc35eeef31a477adcadae014585d5fe8432e5

                                          • C:\Users\Admin\AppData\Local\Temp\43558a0e-9894-454a-83f2-95e0e533ae46.vbs

                                            Filesize

                                            716B

                                            MD5

                                            58dac40d92e6313eae55fcd159695f08

                                            SHA1

                                            765e56d521f35afe6a2881fce1a218a5d36aec02

                                            SHA256

                                            a407a19ce1235c707b207020a354e0db34559da2a0e95e771628b9020668bd28

                                            SHA512

                                            e41646a2c97c64d09a2ffa7cd21b28a1af80d2f60e9caeb71d775bef0e625e511a67a80261e1bb041f11ea6d584820785e979a393f4b3a61a44581cc1f44beab

                                          • C:\Users\Admin\AppData\Local\Temp\4d97f5c2-c923-4e22-b4d0-0af6a22d542f.vbs

                                            Filesize

                                            716B

                                            MD5

                                            b9c4385d564c67c968e39a6747084e1f

                                            SHA1

                                            8ddfcff6d29aadc60c964ad7a1071b4d80ebae1e

                                            SHA256

                                            aa09881930a37117fef7945766a73e58a6525bebf55008244f446ee0f71c82c5

                                            SHA512

                                            521019a231796d91abadf2217b208f66e74f421de9b31e98227ffa3bb187694d92deffafc360251a68a1ddd19a5ec9a4bb43c5a6159e4c794c54ba28f94af4c3

                                          • C:\Users\Admin\AppData\Local\Temp\509c55a2-1419-478b-bc45-d46afe969a49.vbs

                                            Filesize

                                            716B

                                            MD5

                                            5fd6ccd9887e70e826cf39c4936ec9f3

                                            SHA1

                                            3d4112139533c5059e0342a8fc39f24322d31434

                                            SHA256

                                            3e2fe0786ed358ce55b4a84de82e46e81d8c0009dab6eb13ef3454f0835a9ecd

                                            SHA512

                                            9148e766f738f7bd26f4392a3fea0c8ce62859f673df4c8379cfe8f37ad9090816e9883428ecd67bec3119ba9a38b73966ff906e44770b7669e7897c1587b9be

                                          • C:\Users\Admin\AppData\Local\Temp\6a91b942-8f96-497f-9b95-2f34cf54b281.vbs

                                            Filesize

                                            716B

                                            MD5

                                            9e86119d4791c14158270fba7cf15936

                                            SHA1

                                            9cd55ae642c828af264b1ec5a1136e02f59c243f

                                            SHA256

                                            1efc9dd4bd301efd862e5628c7ef329e517aa9abdd12ad38bb09c8f84def008f

                                            SHA512

                                            af73b846e172c92824f039909405a4f6b95664086258130c156454a094d1b180cfa9eee50e00824814aa907232b1a5c28d649c93fc26de0fa2e9e4a1112798db

                                          • C:\Users\Admin\AppData\Local\Temp\729371c2-3b9d-425f-9ab6-60a8c1336f82.vbs

                                            Filesize

                                            715B

                                            MD5

                                            ea4638002fae4bf0a226cb6899fb7d22

                                            SHA1

                                            e6b373554014f46bc4371cd6036e98d0bae76f43

                                            SHA256

                                            8d18255a8f9382b18f4c1eab431d38d087e95ba53b70c56e67bae02751ece8fb

                                            SHA512

                                            073308f908c9cef4a4178571049f5e1d9784d512aef8c6a001e8b501be4ab456a0a2f50f56215229b7bee011303f460336f316ad06c400b6529e49a65e8858a4

                                          • C:\Users\Admin\AppData\Local\Temp\7ce2bb3b-bd5c-4fd7-9b03-934eab621c02.vbs

                                            Filesize

                                            716B

                                            MD5

                                            0c96ece2a3123de388aa7a780f9a3343

                                            SHA1

                                            ac1e3b29c104dc73b923fc8cb3e19a54c1059b8d

                                            SHA256

                                            38230f5f6556a2f4afe87603e8ebe35f86c2dcc48b888f628a0388dbc010fb7a

                                            SHA512

                                            d37f4b848a84f4dcc98459e863eea2e6850672d035c6aa9c65438f13f6e58ccf04afd2308db8e08a5340882826e1ebcdc0ef41049eeb5590db75446da77185c6

                                          • C:\Users\Admin\AppData\Local\Temp\84e9772b-728d-44fd-8d90-e49a9341260e.vbs

                                            Filesize

                                            716B

                                            MD5

                                            f507ac859986d5f5456e43e07a068e35

                                            SHA1

                                            fc5d64b99cf4ee0a9fef7c9a56671ffd0156f825

                                            SHA256

                                            0e0005eb9586deb9d2d01d036ee77d1f833a7111069290ef81c9293cdfedf4fe

                                            SHA512

                                            5b182a20d0a06e7f17b086a397342bf0cd149cb524c4e8d4b5bcee16c2f7e012adf7e6ce9fdc0acc21015c7f5286fbd191368336d9d2b756ba4e7a5020b0529b

                                          • C:\Users\Admin\AppData\Local\Temp\8a52c5b0-c5e6-4d0e-99e9-e3e82331636f.vbs

                                            Filesize

                                            716B

                                            MD5

                                            10dbc7f4b992508bac22531dcd4f13e5

                                            SHA1

                                            f2dd843e38a3a268c6f5a23dc31a35cdaec811af

                                            SHA256

                                            c3143a3379ffeed66e3ab5799e9a1a48f8b7f283a44013708c8d0767bb30d7eb

                                            SHA512

                                            3c34e902c7a00c04a365b0fdf49067fc2516377407b6f8a9e37bda03a0a655da8c93ea464314a524f7ee6afb04d95ecd797e7e974bb19229fdd3ea342e42e13e

                                          • C:\Users\Admin\AppData\Local\Temp\928849f6-b62b-4353-93a4-65195f33776c.vbs

                                            Filesize

                                            716B

                                            MD5

                                            119517ab7da090549432e131df84b1e0

                                            SHA1

                                            8554d85852358caadebf6bc29c7cc5b59c20766e

                                            SHA256

                                            54f465d19f011be5564724e1731bec8b73cb55f399afabe9305999a462341d90

                                            SHA512

                                            6a97e377b47f606af2183c60568fa1cf1aca2a5dcf71902a2d3cefd1948ba89f787a0c9da6fd285bca2dccb16e956095ee6a63357793a586d7611067a95713c4

                                          • C:\Users\Admin\AppData\Local\Temp\d24feec2-5af4-48d0-91a4-8a0d15778e7a.vbs

                                            Filesize

                                            492B

                                            MD5

                                            ff25befcf4d6ef667a8f8ecace72c6c1

                                            SHA1

                                            b7a2c36cb915896f4e374ba9d5eaba607324c523

                                            SHA256

                                            dc140f664e2621c79ede06cbb95360408c99e1b5e1c171133fa6367e7ba39970

                                            SHA512

                                            5a1dcd1e9792927229adaba5712236dc2092d627b1aa85680b79e17c67016085d1925c970ff9bf19d7c139270eb400099a3bedcc94a987bfa3d19684890076bf

                                          • C:\Users\Admin\AppData\Local\Temp\edddfa33-8d6c-4487-9834-32ab63455058.vbs

                                            Filesize

                                            716B

                                            MD5

                                            1ec3a8426a9507a20e1d817ed6bbafc2

                                            SHA1

                                            e15a167a8eed8694bc9825358d89ebb09f9789af

                                            SHA256

                                            f896e57294e463da07a1102f61038d859094d59528f0c246517a1e9465dd8061

                                            SHA512

                                            b01ba3e271a7245602b5b4a2d65f176b0e57a64e20f9ea88aee6e1784a036a854282c7e538a7096c1d431f0e8eaf5a606ca19b217865f877437c80d7218de9cd

                                          • C:\Users\Admin\AppData\Local\Temp\f570ebb3-f735-446a-9597-d206b5e8df81.vbs

                                            Filesize

                                            716B

                                            MD5

                                            ef077794a98c085c5fdfe7e2c4a26301

                                            SHA1

                                            1bc3a91d82b279ec6fa66cd723fdbed821698d75

                                            SHA256

                                            11b2368567921531fa2c3e681e7b160d589246e94c81804f13849756f67d8d4d

                                            SHA512

                                            9b6ea9aaf8e690452e3692cb882e305c349a9739f6ca8cd3f590ed38bdb23fcc47678eeea4d84e9e55f6949c903a8fe89cf60514f3970c3ddcc9ebef187114f6

                                          • memory/3932-9-0x000000001B6A0000-0x000000001B6AA000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/3932-14-0x000000001B730000-0x000000001B73C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3932-13-0x000000001B720000-0x000000001B72C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3932-15-0x000000001BA90000-0x000000001BA98000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/3932-16-0x000000001B840000-0x000000001B84A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/3932-182-0x00007FF996020000-0x00007FF996AE1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3932-17-0x000000001B850000-0x000000001B85E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/3932-18-0x000000001BA60000-0x000000001BA6C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3932-20-0x000000001BA80000-0x000000001BA8A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/3932-19-0x000000001BA70000-0x000000001BA78000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/3932-21-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3932-12-0x000000001B710000-0x000000001B718000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/3932-7-0x000000001B660000-0x000000001B676000-memory.dmp

                                            Filesize

                                            88KB

                                          • memory/3932-0-0x00007FF996023000-0x00007FF996025000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/3932-10-0x000000001B690000-0x000000001B69C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3932-11-0x000000001B700000-0x000000001B70C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3932-8-0x000000001B680000-0x000000001B688000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/3932-4-0x000000001B6B0000-0x000000001B700000-memory.dmp

                                            Filesize

                                            320KB

                                          • memory/3932-5-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/3932-6-0x000000001B240000-0x000000001B250000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/3932-3-0x000000001B220000-0x000000001B23C000-memory.dmp

                                            Filesize

                                            112KB

                                          • memory/3932-2-0x00007FF996020000-0x00007FF996AE1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3932-1-0x00000000003D0000-0x000000000050A000-memory.dmp

                                            Filesize

                                            1.2MB