dcrat | e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d

General

Target

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Size

1.7MB
MD5

a043d8deaf4cb618bcd1973d06c8c670
SHA1

9f0644411da819485df9bc1f0e23eb6b65ea15af
SHA256

e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d
SHA512

2808f2914cc69f7d0ab994c17719c1df821bf8dc6883da4a8b728ee8e21796c5d26f4968dca08da44d344381fd725c5cfb363c77966a03e490b3e693eca37843
SSDEEP

49152:397qdNJl6WBNgk7OM+l8eW7ILtQmgMvp:39QCkiM+KILGXa

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exea043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3012	schtasks.exe
2344	schtasks.exe
2380	schtasks.exe
600	schtasks.exe
1060	schtasks.exe
2268	schtasks.exe
2368	schtasks.exe
1976	schtasks.exe
1372	schtasks.exe
628	schtasks.exe
824	schtasks.exe
2516	schtasks.exe
1620	schtasks.exe
1964	schtasks.exe
2032	schtasks.exe
2156	schtasks.exe
1704	schtasks.exe
2444	schtasks.exe
1256	schtasks.exe
2792	schtasks.exe
1000	schtasks.exe
1228	schtasks.exe
3004	schtasks.exe
880	schtasks.exe
File created	C:\Windows\Downloaded Program Files\f3b6ecef712a24	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
1092	schtasks.exe
2444	schtasks.exe
1784	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2084	schtasks.exe
2656	schtasks.exe
2620	schtasks.exe
1576	schtasks.exe
1684	schtasks.exe
2720	schtasks.exe
1068	schtasks.exe
1596	schtasks.exe
2824	schtasks.exe
2208	schtasks.exe
1720	schtasks.exe
2420	schtasks.exe
552	schtasks.exe
2828	schtasks.exe
944	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\42af1c969fbb7b	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
1256	schtasks.exe
1876	schtasks.exe
848	schtasks.exe
340	schtasks.exe
2168	schtasks.exe
2284	schtasks.exe
1216	schtasks.exe
1668	schtasks.exe
3024	schtasks.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\6cb0b6c459d5d3	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
564	schtasks.exe
1856	schtasks.exe
1556	schtasks.exe
2248	schtasks.exe
2908	schtasks.exe
2860	schtasks.exe
924	schtasks.exe
856	schtasks.exe
2524	schtasks.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2160	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2160	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.execsrss.exea043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2200-1-0x0000000000B10000-0x0000000000CC6000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe	dcrat
behavioral1/memory/2564-130-0x0000000001010000-0x00000000011C6000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.execsrss.exe

pid process

2028 a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2564 csrss.exe

pid	process
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2564	csrss.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exea043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 27 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exea043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\services.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\wininit.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\audiodg.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\6cb0b6c459d5d3	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\42af1c969fbb7b	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Uninstall Information\audiodg.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Uninstall Information\42af1c969fbb7b	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\services.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\dwm.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files\Windows Media Player\886983d96e3d3e	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\56085415360792	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\csrss.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\Idle.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\c5b4cb5e9653cc	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\cc11b995f2a76d	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\wininit.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\dwm.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\6ccacd8608530f	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\cc11b995f2a76d	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\Idle.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files\Windows Media Player\csrss.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

Drops file in Windows directory 9 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exea043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\Downloaded Program Files\f3b6ecef712a24	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Windows\Vss\sppsvc.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Windows\Globalization\MCT\MCT-AU\27d1bcfc3c54e0	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Windows\Downloaded Program Files\spoolsv.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Windows\Downloaded Program Files\spoolsv.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Windows\Vss\0a1fd5f707cd16	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Windows\Globalization\MCT\MCT-AU\System.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Windows\Vss\sppsvc.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\System.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
628	schtasks.exe
2380	schtasks.exe
1576	schtasks.exe
1556	schtasks.exe
1344	schtasks.exe
2724	schtasks.exe
2396	schtasks.exe
824	schtasks.exe
2984	schtasks.exe
2908	schtasks.exe
2656	schtasks.exe
1964	schtasks.exe
1856	schtasks.exe
2248	schtasks.exe
1968	schtasks.exe
2828	schtasks.exe
2720	schtasks.exe
2284	schtasks.exe
3024	schtasks.exe
856	schtasks.exe
1508	schtasks.exe
2824	schtasks.exe
1620	schtasks.exe
1256	schtasks.exe
2156	schtasks.exe
1748	schtasks.exe
1916	schtasks.exe
3004	schtasks.exe
2516	schtasks.exe
1812	schtasks.exe
2344	schtasks.exe
880	schtasks.exe
1660	schtasks.exe
1148	schtasks.exe
888	schtasks.exe
2444	schtasks.exe
2668	schtasks.exe
1092	schtasks.exe
2516	schtasks.exe
1816	schtasks.exe
2168	schtasks.exe
560	schtasks.exe
1868	schtasks.exe
1976	schtasks.exe
2620	schtasks.exe
2032	schtasks.exe
1720	schtasks.exe
1476	schtasks.exe
1148	schtasks.exe
2884	schtasks.exe
2584	schtasks.exe
2368	schtasks.exe
1684	schtasks.exe
2444	schtasks.exe
2860	schtasks.exe
1068	schtasks.exe
1256	schtasks.exe
2476	schtasks.exe
2084	schtasks.exe
2608	schtasks.exe
1980	schtasks.exe
600	schtasks.exe
588	schtasks.exe
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exea043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

pid	process
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid process

2564 csrss.exe

pid	process
2564	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exea043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Token: SeDebugPrivilege	2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Token: SeDebugPrivilege	2564	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exea043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.execsrss.exe

description	pid	process	target process
PID 2200 wrote to memory of 2028	2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
PID 2200 wrote to memory of 2028	2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
PID 2200 wrote to memory of 2028	2200	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
PID 2028 wrote to memory of 2564	2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe	csrss.exe
PID 2028 wrote to memory of 2564	2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe	csrss.exe
PID 2028 wrote to memory of 2564	2028	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe	csrss.exe
PID 2564 wrote to memory of 2692	2564	csrss.exe	WScript.exe
PID 2564 wrote to memory of 2692	2564	csrss.exe	WScript.exe
PID 2564 wrote to memory of 2692	2564	csrss.exe	WScript.exe
PID 2564 wrote to memory of 2828	2564	csrss.exe	WScript.exe
PID 2564 wrote to memory of 2828	2564	csrss.exe	WScript.exe
PID 2564 wrote to memory of 2828	2564	csrss.exe	WScript.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exea043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2200
- C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2028
- - C:\Users\Admin\Downloads\csrss.exe
    "C:\Users\Admin\Downloads\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2564
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee724ce-8e21-443d-adfd-a33b7be2e246.vbs"
      4⤵
      PID:2692
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c606f0cd-a86a-4df1-9c8c-905295e6e5a7.vbs"
      4⤵
      PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalyticsa" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalyticsa" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Vss\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\services.exe'" /f
1⤵
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\Idle.exe'" /f
1⤵
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Libraries\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\MCT\MCT-AU\System.exe'" /f
1⤵
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-AU\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\MCT\MCT-AU\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\wininit.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\dwm.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:552

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe

Filesize
1.7MB

MD5
a043d8deaf4cb618bcd1973d06c8c670

SHA1
9f0644411da819485df9bc1f0e23eb6b65ea15af

SHA256
e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d

SHA512
2808f2914cc69f7d0ab994c17719c1df821bf8dc6883da4a8b728ee8e21796c5d26f4968dca08da44d344381fd725c5cfb363c77966a03e490b3e693eca37843

Download Submit
C:\Users\Admin\AppData\Local\Temp\c606f0cd-a86a-4df1-9c8c-905295e6e5a7.vbs

Filesize
486B

MD5
4d73db0c4f107aa0ed9038ddeeb0ef8e

SHA1
ebb8214be4a89e1356a7533e5474f40eee588e65

SHA256
4dcdd8a18a12414a3ce67c5a56badfe29b7178e29e032b4ec206b16b6fd04e2c

SHA512
f5ef1723316191e407b6f8ec007da23c646cce9d958f36cd7970d99c8c1838bf2aef0531b131d330f126eea49e8a679d8cd16d94a13d4cbc4b3b2f751d8ade7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eee724ce-8e21-443d-adfd-a33b7be2e246.vbs

Filesize
710B

MD5
e55932bc9a084e074469750364e52a65

SHA1
cfacc7a34631a44cbbcfedab5adc9cbec4224b26

SHA256
b450abcbd5ee6de6018a933ff96a69016cc5727da5aa35e1137a138af641cf84

SHA512
cedb3ce1d4a5aa43e09494391d91bb10e26d9e6daec75043280547230f46bd83310c7c8222931e86f981cd1c77fee96a7fb82fc49e2172515fbb1d16e7ca5c90

Download Submit
memory/2200-14-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/2200-16-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2200-5-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2200-6-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/2200-7-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/2200-8-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2200-9-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/2200-10-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/2200-11-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/2200-12-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/2200-13-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2200-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2200-15-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2200-4-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2200-17-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2200-18-0x00000000021B0000-0x00000000021B8000-memory.dmp

Filesize
32KB

Download
memory/2200-19-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2200-20-0x00000000021C0000-0x00000000021CA000-memory.dmp

Filesize
40KB

Download
memory/2200-21-0x0000000002250000-0x000000000225E000-memory.dmp

Filesize
56KB

Download
memory/2200-22-0x000000001A870000-0x000000001A87C000-memory.dmp

Filesize
48KB

Download
memory/2200-23-0x000000001AC50000-0x000000001AC58000-memory.dmp

Filesize
32KB

Download
memory/2200-24-0x000000001AC60000-0x000000001AC6A000-memory.dmp

Filesize
40KB

Download
memory/2200-25-0x000000001AC70000-0x000000001AC7C000-memory.dmp

Filesize
48KB

Download
memory/2200-3-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/2200-69-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-1-0x0000000000B10000-0x0000000000CC6000-memory.dmp

Filesize
1.7MB

Download
memory/2200-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-130-0x0000000001010000-0x00000000011C6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads