dcrat | 50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624a

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
Size

3.0MB
MD5

acb4b3fd9eb572eca52ae15bba28cb80
SHA1

a5744b672dad3c6231dabab1f25cac4b497e420e
SHA256

50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624a
SHA512

782ad414748ee1ec3cca4feb78b5509e52871b78831706f68a53693ffac1bb8c66d6e2151d969707e37c1500ec7337e823f8bf16386d1aa26c0b67a24f30ea8f
SSDEEP

49152:QZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:E7ZJ89LDSKrq3iGnnw+1YXw9OK

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2972	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2972	schtasks.exe	29

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2616-19-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2616-21-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2616-17-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2616-13-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2616-14-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1248	powershell.exe
1368	powershell.exe
1240	powershell.exe
2940	powershell.exe
1932	powershell.exe
2136	powershell.exe
2128	powershell.exe
1840	powershell.exe
1960	powershell.exe
1172	powershell.exe
2716	powershell.exe
2720	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
892	dwm.exe
344	dwm.exe
1844	dwm.exe
1824	dwm.exe
1612	dwm.exe
2272	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 2616	2424	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	28

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\wininit.exe	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\101b941d020240	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXC884.tmp	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\wininit.exe	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCXCAF6.tmp	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCXCCFA.tmp	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\sppsvc.exe	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\7a0fd90576e088	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXC40C.tmp	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\sppsvc.exe	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\0a1fd5f707cd16	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\explorer.exe	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXC816.tmp	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCXCCFB.tmp	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\56085415360792	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXC40D.tmp	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCXCA88.tmp	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\explorer.exe	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2856	schtasks.exe
1260	schtasks.exe
1980	schtasks.exe
1632	schtasks.exe
1584	schtasks.exe
548	schtasks.exe
2112	schtasks.exe
2504	schtasks.exe
356	schtasks.exe
1160	schtasks.exe
2736	schtasks.exe
2828	schtasks.exe
2712	schtasks.exe
908	schtasks.exe
868	schtasks.exe
840	schtasks.exe
2180	schtasks.exe
324	schtasks.exe
2264	schtasks.exe
844	schtasks.exe
2556	schtasks.exe
584	schtasks.exe
1720	schtasks.exe
2248	schtasks.exe
2272	schtasks.exe
1368	schtasks.exe
688	schtasks.exe
792	schtasks.exe
2024	schtasks.exe
952	schtasks.exe
2188	schtasks.exe
2380	schtasks.exe
1836	schtasks.exe
2412	schtasks.exe
2796	schtasks.exe
3040	schtasks.exe
2536	schtasks.exe
444	schtasks.exe
560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
2720	powershell.exe
1240	powershell.exe
1368	powershell.exe
2128	powershell.exe
1960	powershell.exe
1840	powershell.exe
2940	powershell.exe
2136	powershell.exe
1172	powershell.exe
1932	powershell.exe
2716	powershell.exe
1248	powershell.exe
892	dwm.exe
892	dwm.exe
892	dwm.exe
892	dwm.exe
892	dwm.exe
892	dwm.exe
892	dwm.exe
892	dwm.exe
892	dwm.exe
892	dwm.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	892	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2616	2424	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2616	2424	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2616	2424	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2616	2424	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2616	2424	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2616	2424	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2616	2424	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2616	2424	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2616	2424	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	28
PID 2616 wrote to memory of 2136	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	71
PID 2616 wrote to memory of 2136	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	71
PID 2616 wrote to memory of 2136	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	71
PID 2616 wrote to memory of 2136	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	71
PID 2616 wrote to memory of 2128	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	72
PID 2616 wrote to memory of 2128	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	72
PID 2616 wrote to memory of 2128	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	72
PID 2616 wrote to memory of 2128	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	72
PID 2616 wrote to memory of 1840	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	73
PID 2616 wrote to memory of 1840	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	73
PID 2616 wrote to memory of 1840	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	73
PID 2616 wrote to memory of 1840	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	73
PID 2616 wrote to memory of 1248	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	75
PID 2616 wrote to memory of 1248	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	75
PID 2616 wrote to memory of 1248	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	75
PID 2616 wrote to memory of 1248	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	75
PID 2616 wrote to memory of 1172	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	77
PID 2616 wrote to memory of 1172	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	77
PID 2616 wrote to memory of 1172	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	77
PID 2616 wrote to memory of 1172	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	77
PID 2616 wrote to memory of 1368	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	80
PID 2616 wrote to memory of 1368	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	80
PID 2616 wrote to memory of 1368	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	80
PID 2616 wrote to memory of 1368	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	80
PID 2616 wrote to memory of 2716	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	81
PID 2616 wrote to memory of 2716	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	81
PID 2616 wrote to memory of 2716	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	81
PID 2616 wrote to memory of 2716	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	81
PID 2616 wrote to memory of 2720	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	84
PID 2616 wrote to memory of 2720	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	84
PID 2616 wrote to memory of 2720	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	84
PID 2616 wrote to memory of 2720	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	84
PID 2616 wrote to memory of 1932	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	85
PID 2616 wrote to memory of 1932	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	85
PID 2616 wrote to memory of 1932	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	85
PID 2616 wrote to memory of 1932	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	85
PID 2616 wrote to memory of 1960	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	86
PID 2616 wrote to memory of 1960	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	86
PID 2616 wrote to memory of 1960	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	86
PID 2616 wrote to memory of 1960	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	86
PID 2616 wrote to memory of 2940	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	87
PID 2616 wrote to memory of 2940	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	87
PID 2616 wrote to memory of 2940	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	87
PID 2616 wrote to memory of 2940	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	87
PID 2616 wrote to memory of 1240	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	88
PID 2616 wrote to memory of 1240	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	88
PID 2616 wrote to memory of 1240	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	88
PID 2616 wrote to memory of 1240	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	88
PID 2616 wrote to memory of 892	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	95
PID 2616 wrote to memory of 892	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	95
PID 2616 wrote to memory of 892	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	95
PID 2616 wrote to memory of 892	2616	50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe	95
PID 892 wrote to memory of 344	892	dwm.exe	96
PID 892 wrote to memory of 344	892	dwm.exe	96
PID 892 wrote to memory of 344	892	dwm.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624aNeikiAnalytics_NeikiAnalytics.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe
    "C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe
      "C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe"
      4⤵
      Executes dropped EXE
      PID:344
  - - C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe
      "C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe"
      4⤵
      Executes dropped EXE
      PID:1844
  - - C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe
      "C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe"
      4⤵
      Executes dropped EXE
      PID:1824
  - - C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe
      "C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe"
      4⤵
      Executes dropped EXE
      PID:1612
  - - C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe
      "C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe"
      4⤵
      Executes dropped EXE
      PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\explorer.exe

Filesize
3.0MB

MD5
acb4b3fd9eb572eca52ae15bba28cb80

SHA1
a5744b672dad3c6231dabab1f25cac4b497e420e

SHA256
50c457cecd795efa3fa25824db4a7c330dfac3af684a31af6c71a8354513624a

SHA512
782ad414748ee1ec3cca4feb78b5509e52871b78831706f68a53693ffac1bb8c66d6e2151d969707e37c1500ec7337e823f8bf16386d1aa26c0b67a24f30ea8f

Download Submit
C:\Program Files (x86)\Common Files\wininit.exe

Filesize
3.0MB

MD5
7091c07b8f4bc143ccd1538d852a2180

SHA1
278e79ac523dda957020a63dd94f96b82fbda2f4

SHA256
8219422d7943db4c335b16465f93cb58abe43ff72d0e46200ac389a80a114244

SHA512
5020e57acd9dfa63f3689e037f1d4649f0514c310dd6fd84c7d2cdeefadf0a4ca2b0a90d363064ea5e721d8c7f176a68246faa1ca7a51997dec5b955f6c57e7b

Download Submit
C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe

Filesize
3.0MB

MD5
89141cb109039df7f1cef0bb1ffbbc3a

SHA1
0aa02b0f1e85d97faf007cf5306ed05011ce3f94

SHA256
074a3655e81ab67718d3f3de742735aad2a7bcaa5aac25d08e08d17ee0d6b875

SHA512
ccabf339b21069aa4279488bd72619ab12b060b9bd9fb73a4aa2a3f1d6137fa7c118bc61a115e555da4ffac4e0faba08bbe502fb8ec98e887b15d47c7e715859

Download Submit
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\System.exe

Filesize
3.0MB

MD5
8f482e45b9b2a3448d8353fc888bc1d1

SHA1
f0b81a6ada8679d8b5088b3b1dc0fbe37535cf62

SHA256
a82b73a706bb3729fa97327cefb576af0720507305e9d0548f023cb7ebb4e1b8

SHA512
b7c271007c7d2d602a157229bb7d9f6fd0c500137f08e540cdc9f64070983285e6a5be506755ffa5257b54055922e234c9b8b7e8af8c84cdc1c935dc4a320ab6

Download Submit
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe

Filesize
3.0MB

MD5
1be5c48b46576693712be20d27a65e0d

SHA1
fa11ead80bbba066a140b94a5be8bd62bc6c1be2

SHA256
1b75c35aaf0a9d062683a7ecd9c67603075827ad9c581d811d0d358a63402344

SHA512
260be6e25832c05dedb5d71f455e2f8c98c8ffd56047f47bc1b9916014fc79b934078bb3eba39290b405dd9e5053c05e236766a18bf55381232eebaf740a5102

Download Submit
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe

Filesize
3.0MB

MD5
40351350e8bf89c6558dae118b795c5c

SHA1
e451842d7ddcff13062a73c61e26cde9c01b23e1

SHA256
d1359103252d180ef5d79ea961c7ef9d714525b763cf9136bf1752ac2d543801

SHA512
d8b5b56c474385b082afc2a53747672d3419fcb179a82cdf37921fe97278dfbe18a3a6b18fc462cdceab949ca5b6d69342484d9ba8b91892c2c187e0b4b24942

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6b9d86aa344a2ade79cfc9b58fde7f97

SHA1
8008e4ccfaf25a32a90db3ea5a9c7e36f7a2b468

SHA256
6c88cd67623b1bcdfd9c0192ac3a2f49279c84261c4da49537fb97d8d8d1aa2a

SHA512
bd96163b53d9ad1e87c55a451788f5ebad78a547c93be21baa228bc048c210fddf1794eba02886dc82f08baa3f49a93022a2219c0202a346a89ae38e4e79564f

Download Submit
C:\Users\Admin\Videos\explorer.exe

Filesize
3.0MB

MD5
2cca498f5b509122ca60786d2a45fbfc

SHA1
8c3d1fed7a50f8f23d6ebe9ec929f1960f2a816e

SHA256
24dc5a91a62fb9992316c58c54c473ac2aaef48038dae5a9e438241b8e48b91f

SHA512
8da37279b7d22aeea925a0c959034bf4283bd56d1103fc6e9bfd4f0ba6e5a00d290529bddfa657c4852cec0aaeafc504217f5a891b76399085ad939a6e109f5e

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\dwm.exe

Filesize
3.0MB

MD5
b9e053ed6c8d00fae0137d645746b00a

SHA1
3e8d61acea6818c05fbe30b69d1fb72101e4f042

SHA256
73ace554986a87416ab7aae09f4393f860ebc195e17834b842d8e6c1e2f7df1f

SHA512
437184e363a94f8bdea70e9df4a97597fdd730ae189655f2a5f96a784ee9b5d4d1906e510a290a3d0754365075f82ed3d14d2ef966e3b401837e017b0acd1e4c

Download Submit
C:\Users\Default\taskhost.exe

Filesize
3.0MB

MD5
f8cf67f413a6ee7f229baf6f79455848

SHA1
430ed4d247c896e4a2d3b298c0b09b08ebc8f77e

SHA256
72b9c486f688288b705b093434284f4650d14e7d91f192397f019fe0494ea3e0

SHA512
3c9995e081ad03be307af6fd7ea60dff672580b3be637507f1c06657c91645e066d354d1b2f2f754547885e7bf7d1206c87c8bae36320a22f44ed8f6fe816898

Download Submit
memory/892-291-0x00000000002F0000-0x0000000000600000-memory.dmp

Filesize
3.1MB

Download
memory/892-293-0x00000000007A0000-0x00000000007B6000-memory.dmp

Filesize
88KB

Download
memory/2424-0-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

Filesize
4KB

Download
memory/2424-8-0x0000000009B80000-0x0000000009DF4000-memory.dmp

Filesize
2.5MB

Download
memory/2424-23-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2424-7-0x0000000009900000-0x0000000009B7A000-memory.dmp

Filesize
2.5MB

Download
memory/2424-6-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/2424-5-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2424-4-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

Filesize
4KB

Download
memory/2424-3-0x0000000000580000-0x0000000000596000-memory.dmp

Filesize
88KB

Download
memory/2424-2-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2424-1-0x0000000000A70000-0x0000000000D80000-memory.dmp

Filesize
3.1MB

Download
memory/2616-31-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/2616-42-0x0000000004D50000-0x0000000004D58000-memory.dmp

Filesize
32KB

Download
memory/2616-29-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2616-30-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2616-27-0x0000000002410000-0x000000000242C000-memory.dmp

Filesize
112KB

Download
memory/2616-32-0x0000000002570000-0x000000000257C000-memory.dmp

Filesize
48KB

Download
memory/2616-33-0x0000000004BD0000-0x0000000004C26000-memory.dmp

Filesize
344KB

Download
memory/2616-34-0x0000000004770000-0x000000000477C000-memory.dmp

Filesize
48KB

Download
memory/2616-35-0x0000000004780000-0x0000000004788000-memory.dmp

Filesize
32KB

Download
memory/2616-36-0x00000000047D0000-0x00000000047DC000-memory.dmp

Filesize
48KB

Download
memory/2616-37-0x0000000004C20000-0x0000000004C28000-memory.dmp

Filesize
32KB

Download
memory/2616-38-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2616-39-0x0000000004C90000-0x0000000004C9C000-memory.dmp

Filesize
48KB

Download
memory/2616-40-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

Filesize
40KB

Download
memory/2616-41-0x0000000004D40000-0x0000000004D4E000-memory.dmp

Filesize
56KB

Download
memory/2616-28-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/2616-43-0x0000000004D60000-0x0000000004D68000-memory.dmp

Filesize
32KB

Download
memory/2616-44-0x0000000004EB0000-0x0000000004EBC000-memory.dmp

Filesize
48KB

Download
memory/2616-26-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-25-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/2616-24-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-14-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2616-11-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2616-13-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2616-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-17-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2616-22-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-21-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2616-292-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-19-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2616-9-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download