Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 07:48

General

  • Target

    a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe

  • Size

    2.9MB

  • MD5

    a76c3992f0ce41945386691b991de4f0

  • SHA1

    694416f5f2cc6579af87f08175b52f9039930972

  • SHA256

    92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023

  • SHA512

    6f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870

  • SSDEEP

    49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 30 IoCs
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 9 IoCs
  • Checks whether UAC is enabled 1 TTPs 20 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
      "C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:324
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a3913c6-c403-4575-82cc-9efa443f58da.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
          C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2544
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\189315fe-d30f-4820-95bf-136e5099806e.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2116
            • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
              C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1484
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81a20895-7992-478c-a1f6-70e9c4005aa3.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1728
                • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                  C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:2472
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\254fd276-a90b-42e9-bc22-f3c0c470bddf.vbs"
                    9⤵
                      PID:580
                      • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:1924
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87983f1d-2c5a-4e9e-ad7a-6268d1febc9b.vbs"
                          11⤵
                            PID:1044
                            • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                              C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                              12⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1780
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ce27bbf-81d8-413e-b18f-d55c53d4e8e1.vbs"
                                13⤵
                                  PID:2524
                                  • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                                    C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                                    14⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1552
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\babcc170-13ac-40bf-be35-ae34702a755e.vbs"
                                      15⤵
                                        PID:2800
                                        • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                                          C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                                          16⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2168
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11708d4c-d3f6-420b-bf7a-5970c65c2b2e.vbs"
                                            17⤵
                                              PID:1488
                                              • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                                                C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
                                                18⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:320
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\260a53a8-3477-40db-8dc1-f3b67bf62dc7.vbs"
                                                  19⤵
                                                    PID:2156
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a36caac-c0db-4cbd-92c7-21280f0e644a.vbs"
                                                    19⤵
                                                      PID:884
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f963144-2cf4-49db-b764-63b890cb9c72.vbs"
                                                  17⤵
                                                    PID:2092
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fa70d88-92aa-4426-9419-82f3caa590b1.vbs"
                                                15⤵
                                                  PID:2672
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91bc37cd-f09e-406c-8374-a636f716fd9b.vbs"
                                              13⤵
                                                PID:1664
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44be4781-1631-444c-9f6d-682110435f04.vbs"
                                            11⤵
                                              PID:844
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13381cec-12f5-4cf1-9d9e-623bc5f2328e.vbs"
                                          9⤵
                                            PID:2064
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0b48b46-92fc-4dc7-9a5f-fd0f115bd29a.vbs"
                                        7⤵
                                          PID:2808
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51f4de88-b488-468d-b114-9eb78d5769fc.vbs"
                                      5⤵
                                        PID:1940
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b770a552-b404-4c4c-b8bf-a07b02aa329d.vbs"
                                    3⤵
                                      PID:1996
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2608
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2700
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2388
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2524
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2412
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2372
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2192
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2864
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2796
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\csrss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2152
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:840
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1804
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "a76c3992f0ce41945386691b991de4f0_NeikiAnalyticsa" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2644
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "a76c3992f0ce41945386691b991de4f0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2552
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "a76c3992f0ce41945386691b991de4f0_NeikiAnalyticsa" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2820
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\servicing\Editions\spoolsv.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1048
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\servicing\Editions\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2236
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\servicing\Editions\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1720
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1036
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1668
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1468
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\dwm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2944
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\dwm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:940
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\dwm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1648
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1688
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1628
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1216
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\dllhost.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:788
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\dllhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1016
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\dllhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:860
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1484
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2144
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2724
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\smss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:400
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\smss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:2916
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\smss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Creates scheduled task(s)
                                  PID:1136

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe

                                  Filesize

                                  2.9MB

                                  MD5

                                  a76c3992f0ce41945386691b991de4f0

                                  SHA1

                                  694416f5f2cc6579af87f08175b52f9039930972

                                  SHA256

                                  92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023

                                  SHA512

                                  6f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870

                                • C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

                                  Filesize

                                  2.9MB

                                  MD5

                                  50200bb05eb5ce4121495f32a8ff5e3e

                                  SHA1

                                  b507c386d869bd4b561ccf2dc56cd1bd28473ee0

                                  SHA256

                                  e223f04b0ebfe8bbb1690d3406b9c013a81d0fd4a7860060f617ceff06a27363

                                  SHA512

                                  6656be3d220e143974c4c2efb9768724d337ddfe711e200ead2b0873ec9d6f9028902a0afbac5b53b814822fac296490438a193ca7ce04c51897b9186ef20eb6

                                • C:\Users\Admin\AppData\Local\Temp\11708d4c-d3f6-420b-bf7a-5970c65c2b2e.vbs

                                  Filesize

                                  737B

                                  MD5

                                  ca8d1a3fc86cb97b774754dc338a9301

                                  SHA1

                                  cd30f835411f3582554da8f823fb0fb3d6b947b6

                                  SHA256

                                  b21280afff8e6bf0b0b4d7231127eed883f2af4ef0a33967e3c7fbceacb03f30

                                  SHA512

                                  e548475e60f30088f237297186e5109a2f3d8f0b4b1c7577da29a609d06cc784eadf6947ac47d046fe2642ce7c90b95e8558ec412f982d53bb71d32fb76559f9

                                • C:\Users\Admin\AppData\Local\Temp\189315fe-d30f-4820-95bf-136e5099806e.vbs

                                  Filesize

                                  737B

                                  MD5

                                  357137808f0d53414931e7711701f07f

                                  SHA1

                                  ffa2547d28b2acd863f6188ee7526f87cdfc2d58

                                  SHA256

                                  cc70b61ab7f01293d8190cf81f9b1d2bafded9d0507f187c3c8df9b14c6dcc85

                                  SHA512

                                  df6b74865f1c8d1ffec55f2a2ca9850e127ee40be7bff02cdfff4c34ff03f2e69778bccc4dd83f11db3bfbf9f39ae973bec30d5b1b3db934ea0b85c22b4ba435

                                • C:\Users\Admin\AppData\Local\Temp\1a3913c6-c403-4575-82cc-9efa443f58da.vbs

                                  Filesize

                                  736B

                                  MD5

                                  b68beb1b051f04bb69f361e278c39639

                                  SHA1

                                  3d10aeaecdc442ea4da4d8d8a89ca64e20b1b945

                                  SHA256

                                  04e6ba9342338b03fa73e1bafedff858a57fb5a32a87437c494fbe9e1d5dc0e7

                                  SHA512

                                  8f1b0803e2ccece947827eae237ac4e1c6d99d1f8cf39be383cdffdeef3eaa7632e20c970df91972f32d9ca25f94f20449eb88602042a8a8afd9226f0f09fadf

                                • C:\Users\Admin\AppData\Local\Temp\254fd276-a90b-42e9-bc22-f3c0c470bddf.vbs

                                  Filesize

                                  737B

                                  MD5

                                  453921fc64fd4b713d345cb17079da34

                                  SHA1

                                  cacff0b65ed085d1a7bacd9027ffdc6447f6c852

                                  SHA256

                                  ab76d934c18e05a34637f34ab8002356071c52dc4a0a0aaeb90ff2531a5e6b81

                                  SHA512

                                  91b483734d4e7b75d16fcbaeee101cc0de3c3a2a2c5583b8dd33c4a967bd746d6871712378857a6f8ab566cf164d3f5acb27ec5fb7c707f2d664677bc29dfa28

                                • C:\Users\Admin\AppData\Local\Temp\260a53a8-3477-40db-8dc1-f3b67bf62dc7.vbs

                                  Filesize

                                  736B

                                  MD5

                                  b550bec859709157db8847c6a8a8b4e8

                                  SHA1

                                  97e3614e614b7fa584702e7611d28fdb6526b717

                                  SHA256

                                  cdad0a1032bf5e0409d029cda6c769848c039c5786cc79f8827afdbc65f82388

                                  SHA512

                                  309699affb8197d7b97750fa770b2f020a7552dfae2db2208b05f4418b9b998265e285ce7c3d172aa754829c6e805a2f929c3d41113e1d92d6f90f2f8b749863

                                • C:\Users\Admin\AppData\Local\Temp\6ce27bbf-81d8-413e-b18f-d55c53d4e8e1.vbs

                                  Filesize

                                  737B

                                  MD5

                                  3dd8d5a612f09af9651e49f4dc63753e

                                  SHA1

                                  9361fbb7ac22ef5e8bd2f748b680f274b76cb4cf

                                  SHA256

                                  edff42637b5453d066994447e081352b1b7a0bb9e37d04388c65b4f8d4946e99

                                  SHA512

                                  68c46460ea18b1b711678a268e578ab9eeb20b1f5dbc23bdc6b7d9dbf7ee117909f36b0203481ef1f04a2ef772f5b90cc274f0dd6a5dcd477db967519bd4a3ff

                                • C:\Users\Admin\AppData\Local\Temp\81a20895-7992-478c-a1f6-70e9c4005aa3.vbs

                                  Filesize

                                  737B

                                  MD5

                                  46a3d6a02b808a3f449c0a5e7c72ac0c

                                  SHA1

                                  6b8872cd8b4124eb78ed3208c17590d4e1603a7d

                                  SHA256

                                  56df465e4916dae7b26bf1405eba3108f655340059ff7948a3cc695388e94a29

                                  SHA512

                                  7a7316702c70f244eb7488c773cc7df64e7b9ced7de59a03ee40ef542906fcdf69ffa33fef8fd63a4c946d0235a6b5d5dca616e092fd5e11149604cf425a05d7

                                • C:\Users\Admin\AppData\Local\Temp\87983f1d-2c5a-4e9e-ad7a-6268d1febc9b.vbs

                                  Filesize

                                  737B

                                  MD5

                                  a0ae6bbae85e716c275bca0d04a843c1

                                  SHA1

                                  175d5dcf859e86b7005a3d2017731d4755abbb94

                                  SHA256

                                  0a3186859570147ae1e6878cc9a2c765f7469abbd4c80db7f42bbcdbc0a3a966

                                  SHA512

                                  c3886b74bd558c23b9af989382c4b391090365ff086100a29f23a7e2572ef21068ae56837173f34ae8337c257e582f5652cb720b3cd706c1adb45cd2b375c44e

                                • C:\Users\Admin\AppData\Local\Temp\b770a552-b404-4c4c-b8bf-a07b02aa329d.vbs

                                  Filesize

                                  513B

                                  MD5

                                  bc8d4619fd969519a924a3cd5ea48cbd

                                  SHA1

                                  7766371d8981c1f50a9b4582dff2ac253638cf8e

                                  SHA256

                                  49edc2f9eac211985ee409b8a07d9d8a6fa755c026842924b5fb3d0b589fd82c

                                  SHA512

                                  3ca9366d00ec76bfbd25571013328f02d9e93d4958a1a6630ffbf419fa7225f206fc6228ec3b5f364785b90b7553b302128f2111e8b1513f0bc831b16242b1b9

                                • C:\Users\Admin\AppData\Local\Temp\babcc170-13ac-40bf-be35-ae34702a755e.vbs

                                  Filesize

                                  737B

                                  MD5

                                  8d20768946f4bbd6150f66938eeb4e49

                                  SHA1

                                  0effafddd7e357ad11725e26d9d616c8ee71d9a6

                                  SHA256

                                  81c91ece78f828dcceb2bd1f3c23065ea6118ec3f5fe11e0e881759eca88d065

                                  SHA512

                                  21a02412751ed811a8e486017f124db975bf0116ccada80e370270b357b3a5e302f3a78d305e89098415ccf09bac6393f1793f8d6ca1ba101bb6cd4479c3f593

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                  Filesize

                                  7KB

                                  MD5

                                  a87e3199a6d48f2f0557bc3312c9a825

                                  SHA1

                                  9905728721099bac2f8981a4fff1518f565732ea

                                  SHA256

                                  fabf0295174f9d5592c0db1cddf112afde2b7be16855f529f6bf922ebcd9851a

                                  SHA512

                                  38c11653369045065f4d760c9c86f2ec94f0f2cb8f89aaee3840efbb5d266dc8056f7e3a0c21f10fc8166a188a023ef03a633e2f356d29fa93145038ff6f8a58

                                • memory/320-287-0x0000000000E20000-0x0000000000E32000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/320-286-0x0000000000EC0000-0x00000000011A6000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/324-191-0x0000000000A10000-0x0000000000A22000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/324-189-0x00000000002B0000-0x0000000000596000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/1484-215-0x0000000000550000-0x0000000000562000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/1780-250-0x0000000001340000-0x0000000001626000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/2168-274-0x0000000000990000-0x00000000009A2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2168-273-0x00000000002C0000-0x00000000005A6000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/2472-227-0x0000000000C40000-0x0000000000C52000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2544-203-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2544-202-0x0000000000CE0000-0x0000000000FC6000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/2692-154-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/2768-23-0x000000001A9A0000-0x000000001A9A8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2768-8-0x00000000009F0000-0x00000000009F8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2768-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2768-1-0x0000000000AE0000-0x0000000000DC6000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/2768-25-0x000000001AE00000-0x000000001AE0C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2768-11-0x0000000002290000-0x00000000022E6000-memory.dmp

                                  Filesize

                                  344KB

                                • memory/2768-24-0x000000001A9B0000-0x000000001A9BA000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/2768-190-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

                                  Filesize

                                  9.9MB

                                • memory/2768-13-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2768-10-0x0000000000A00000-0x0000000000A0A000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/2768-9-0x0000000000A90000-0x0000000000AA0000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/2768-22-0x000000001A990000-0x000000001A99C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2768-20-0x000000001A970000-0x000000001A978000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2768-12-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2768-21-0x000000001A980000-0x000000001A98E000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/2768-7-0x00000000009E0000-0x00000000009E8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2768-19-0x000000001A960000-0x000000001A96E000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/2768-6-0x00000000009C0000-0x00000000009D6000-memory.dmp

                                  Filesize

                                  88KB

                                • memory/2768-5-0x00000000009B0000-0x00000000009C0000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/2768-18-0x00000000022E0000-0x00000000022EA000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/2768-4-0x0000000000500000-0x0000000000508000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2768-3-0x00000000004E0000-0x00000000004FC000-memory.dmp

                                  Filesize

                                  112KB

                                • memory/2768-17-0x0000000002200000-0x0000000002208000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2768-16-0x00000000021F0000-0x00000000021F8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2768-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

                                  Filesize

                                  9.9MB

                                • memory/2768-15-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2768-14-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2808-164-0x0000000002690000-0x0000000002698000-memory.dmp

                                  Filesize

                                  32KB