Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 04:56
Behavioral task
behavioral1
Sample
75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe
-
Size
7.5MB
-
MD5
75552440685c9dc4644df81c7e365370
-
SHA1
0935691adc68a97a6a677c3fa8751568b04b383e
-
SHA256
f079f9374811130ef9b4df4ecb0d7b70cc253c2df7774ddb3f13363797f52124
-
SHA512
74dd580f6f2ef2ca8b193d7d522034f1f2235cd95e176c646cf4aab4d975567fa096d3b66fa6df15e89abad5361e6b3812ea51df68e47e90d6fcc1fc6c50ed45
-
SSDEEP
98304:3h5cyZ/K9NFLsO0MJdX1ezhQcSZcOb+sX1Zvbed4Z0FGRABTgtse6vzovkGx:3h5lZ/WFAnMJdehQcERCsXDjyZkJMY
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/3948-45-0x000000001B060000-0x000000001B2F8000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-47-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-85-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-93-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-87-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-83-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-79-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-77-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-75-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-73-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-71-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-81-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-69-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-65-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-61-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-59-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-57-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-53-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-51-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-49-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-46-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-67-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-63-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-55-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-101-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-109-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-107-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-105-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-103-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-99-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-97-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-95-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-91-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 behavioral2/memory/3948-89-0x000000001B060000-0x000000001B2F2000-memory.dmp family_zgrat_v1 -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3680 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 1336 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4236 1336 schtasks.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2696 powershell.exe 4900 powershell.exe 3168 powershell.exe 5016 powershell.exe 1492 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Update.exeWScript.exemsWinruntimebrokercrt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation msWinruntimebrokercrt.exe -
Executes dropped EXE 3 IoCs
Processes:
Update.exemsWinruntimebrokercrt.exedwm.exepid process 3236 Update.exe 3948 msWinruntimebrokercrt.exe 1928 dwm.exe -
Loads dropped DLL 4 IoCs
Processes:
75552440685c9dc4644df81c7e365370_NeikiAnalytics.exepid process 5032 75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe 5032 75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe 5032 75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe 5032 75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe -
Drops file in Program Files directory 2 IoCs
Processes:
msWinruntimebrokercrt.exedescription ioc process File created C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe msWinruntimebrokercrt.exe File created C:\Program Files\Microsoft Office 15\ClientX64\6cb0b6c459d5d3 msWinruntimebrokercrt.exe -
Drops file in Windows directory 5 IoCs
Processes:
msWinruntimebrokercrt.exedescription ioc process File created C:\Windows\debug\9e8d7a4ca61bd9 msWinruntimebrokercrt.exe File created C:\Windows\it-IT\dwm.exe msWinruntimebrokercrt.exe File opened for modification C:\Windows\it-IT\dwm.exe msWinruntimebrokercrt.exe File created C:\Windows\it-IT\6cb0b6c459d5d3 msWinruntimebrokercrt.exe File created C:\Windows\debug\RuntimeBroker.exe msWinruntimebrokercrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4984 schtasks.exe 1540 schtasks.exe 1196 schtasks.exe 4468 schtasks.exe 3680 schtasks.exe 1868 schtasks.exe 1608 schtasks.exe 2924 schtasks.exe 1032 schtasks.exe 1524 schtasks.exe 2020 schtasks.exe 316 schtasks.exe 2596 schtasks.exe 3508 schtasks.exe 4236 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
Update.exemsWinruntimebrokercrt.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings Update.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings msWinruntimebrokercrt.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msWinruntimebrokercrt.exepid process 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe 3948 msWinruntimebrokercrt.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
msWinruntimebrokercrt.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedescription pid process Token: SeDebugPrivilege 3948 msWinruntimebrokercrt.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeDebugPrivilege 1928 dwm.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe75552440685c9dc4644df81c7e365370_NeikiAnalytics.execmd.exeUpdate.exeWScript.execmd.exemsWinruntimebrokercrt.execmd.exedescription pid process target process PID 1328 wrote to memory of 5032 1328 75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe 75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe PID 1328 wrote to memory of 5032 1328 75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe 75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe PID 5032 wrote to memory of 4224 5032 75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe cmd.exe PID 5032 wrote to memory of 4224 5032 75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe cmd.exe PID 4224 wrote to memory of 3236 4224 cmd.exe Update.exe PID 4224 wrote to memory of 3236 4224 cmd.exe Update.exe PID 4224 wrote to memory of 3236 4224 cmd.exe Update.exe PID 3236 wrote to memory of 5012 3236 Update.exe WScript.exe PID 3236 wrote to memory of 5012 3236 Update.exe WScript.exe PID 3236 wrote to memory of 5012 3236 Update.exe WScript.exe PID 5012 wrote to memory of 984 5012 WScript.exe cmd.exe PID 5012 wrote to memory of 984 5012 WScript.exe cmd.exe PID 5012 wrote to memory of 984 5012 WScript.exe cmd.exe PID 984 wrote to memory of 3948 984 cmd.exe msWinruntimebrokercrt.exe PID 984 wrote to memory of 3948 984 cmd.exe msWinruntimebrokercrt.exe PID 3948 wrote to memory of 2696 3948 msWinruntimebrokercrt.exe powershell.exe PID 3948 wrote to memory of 2696 3948 msWinruntimebrokercrt.exe powershell.exe PID 3948 wrote to memory of 1492 3948 msWinruntimebrokercrt.exe powershell.exe PID 3948 wrote to memory of 1492 3948 msWinruntimebrokercrt.exe powershell.exe PID 3948 wrote to memory of 3168 3948 msWinruntimebrokercrt.exe powershell.exe PID 3948 wrote to memory of 3168 3948 msWinruntimebrokercrt.exe powershell.exe PID 3948 wrote to memory of 4900 3948 msWinruntimebrokercrt.exe powershell.exe PID 3948 wrote to memory of 4900 3948 msWinruntimebrokercrt.exe powershell.exe PID 3948 wrote to memory of 5016 3948 msWinruntimebrokercrt.exe powershell.exe PID 3948 wrote to memory of 5016 3948 msWinruntimebrokercrt.exe powershell.exe PID 3948 wrote to memory of 2700 3948 msWinruntimebrokercrt.exe cmd.exe PID 3948 wrote to memory of 2700 3948 msWinruntimebrokercrt.exe cmd.exe PID 2700 wrote to memory of 1608 2700 cmd.exe chcp.com PID 2700 wrote to memory of 1608 2700 cmd.exe chcp.com PID 2700 wrote to memory of 2740 2700 cmd.exe PING.EXE PID 2700 wrote to memory of 2740 2700 cmd.exe PING.EXE PID 2700 wrote to memory of 1928 2700 cmd.exe dwm.exe PID 2700 wrote to memory of 1928 2700 cmd.exe dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\75552440685c9dc4644df81c7e365370_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Update.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\_MEI13282\Update.exeUpdate.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainProviderBrowserCommon\gniOKJTyiy2L24587b.vbe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainProviderBrowserCommon\G8uE6tD633eayRxoVmMQKAQRLRgR.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Roaming\chainProviderBrowserCommon\msWinruntimebrokercrt.exe"C:\Users\Admin\AppData\Roaming\chainProviderBrowserCommon/msWinruntimebrokercrt.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\dwm.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\RuntimeBroker.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\msWinruntimebrokercrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DYS9JLSQ5I.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1608
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:2740
-
-
C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe"C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:81⤵PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\it-IT\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msWinruntimebrokercrtm" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\msWinruntimebrokercrt.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msWinruntimebrokercrt" /sc ONLOGON /tr "'C:\Users\Default\Recent\msWinruntimebrokercrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msWinruntimebrokercrtm" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\msWinruntimebrokercrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
182B
MD599de3325e034d64e5f848bc532ab8757
SHA173744b5080d9234dc3e24bd9dd30e1e41397ad5a
SHA25612a54106c2faff75d0e0ae0f604339c14115b0a37dd0a424f986d8b69560b16a
SHA5120539438c09dd85837e948408c386e13580b15ba8e84827512480e47bb38e709c765a2330b140e3a1b4a14807eb32d5691ea519fee24774a1467e0e5aeb487ab4
-
Filesize
2.6MB
MD509a97734007a8bf914a52e703e3fab2a
SHA134b65e86de26e0214259cc23594c43d8ae3634dc
SHA2564c4883f0ee5ad8b71c2256f2ee95c1956b6a47308d8223f82fb5f91d392b29bf
SHA512ab0542b67d62d55ace25b1e5b0e6a786ef1064fb518e1d45df5e3db80610d030c20c318b4019d4859ac356f7299f1fe609a7638c772f35694b43ecb8f36f579a
-
Filesize
2.4MB
MD5c3cda7c747788b44fae029d327ed3e13
SHA19bf9da89ec0c5da9ee5e30a2711444dcb930cd85
SHA25645b919cfb1807ae86bd7cf8f9a6630708a81f7dc9799b5328177e1a25fa0e2cd
SHA5125cdadc0801568fb7adc9de75eeb75a4f8e1d81297f95318c58229b7b09392ae8d1b88063e712481ff28020e12e9372e1e8049f0ed850142e76531adfbeb9c91f
-
Filesize
93KB
MD54a365ffdbde27954e768358f4a4ce82e
SHA1a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA2566a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA51254e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722
-
Filesize
84KB
MD5e91b4f8e1592da26bacaceb542a220a8
SHA15459d4c2147fa6db75211c3ec6166b869738bd38
SHA25620895fa331712701ebfdbb9ab87e394309e910f1d782929fd65b59ed76d9c90f
SHA512cb797fa758c65358e5b0fef739181f6b39e0629758a6f8d5c4bd7dc6422001769a19df0c746724fb2567a58708b18bbd098327bfbdf3378426049b113eb848e9
-
Filesize
264KB
MD565287fd87a64bc756867a1afddec9e29
SHA1cda1db353f81df7a4a818add8f87bca9ac840455
SHA256df19c2e6ec3145166fa8d206c11db78bc1979a027105c4f21d40410b5082ba34
SHA5123e3f19cf965b260ffc68e45d5101234e8a957411c076a0d487d307dcfa714a9801cb501224fe7621937aebdf90275f655c8a70dd6675bcfb5374404fda53236f
-
Filesize
64KB
MD57c69cb3cb3182a97e3e9a30d2241ebed
SHA11b8754ff57a14c32bcadc330d4880382c7fffc93
SHA25612a84bacb071b1948a9f751ac8d0653ba71a8f6b217a69fe062608e532065c20
SHA51296dbabbc6b98d473cbe06dcd296f6c6004c485e57ac5ba10560a377393875192b22df8a7103fe4a22795b8d81b8b0ae14ce7646262f87cb609b9e2590a93169e
-
Filesize
159KB
MD5493c33ddf375b394b648c4283b326481
SHA159c87ee582ba550f064429cb26ad79622c594f08
SHA2566384ded31408788d35a89dc3f7705ea2928f6bbdeb8b627f0d1b2d7b1ea13e16
SHA512a4a83f04c7fc321796ce6a932d572dca1ad6ecefd31002320aeaa2453701ed49ef9f0d9ba91c969737565a6512b94fbb0311aee53d355345a03e98f43e6f98b2
-
Filesize
78KB
MD5fd1cfe0f0023c5780247f11d8d2802c9
SHA15b29a3b4c6edb6fa176077e1f1432e3b0178f2bc
SHA256258a5f0b4d362b2fed80b24eeabcb3cdd1602e32ff79d87225da6d15106b17a6
SHA512b304a2e56829a557ec401c6fdda78d6d05b7495a610c1ed793d6b25fc5af891cb2a1581addb27ab5e2a6cb0be24d9678f67b97828015161bc875df9b7b5055ae
-
Filesize
826KB
MD52abe470164e060916c6842da1263e5ad
SHA1197163bfb26ce54420fa6eba03cf0fa0a5622934
SHA256151a4c8ea261130b5ae94653e5470ac6fe4663de269c187b2b38d6fccadc1baa
SHA51201e2c58b24f7d3d7b31df97c6dbe8aee0c0f61f457c78d62830fa954c17dffb74b4e5389ef389926b5ba78f96deb08ad4cd61c9ecea256bf35e0a99cd2366d65
-
Filesize
3.2MB
MD589511df61678befa2f62f5025c8c8448
SHA1df3961f833b4964f70fcf1c002d9fd7309f53ef8
SHA256296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf
SHA5129af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668
-
Filesize
4.3MB
MD55cd203d356a77646856341a0c9135fc6
SHA1a1f4ac5cc2f5ecb075b3d0129e620784814a48f7
SHA256a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a
SHA512390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f
-
Filesize
28KB
MD50e3cf5d792a3f543be8bbc186b97a27a
SHA150f4c70fce31504c6b746a2c8d9754a16ebc8d5e
SHA256c7ffae6dc927cf10ac5da08614912bb3ad8fc52aa0ef9bc376d831e72dd74460
SHA512224b42e05b4dbdf7275ee7c5d3eb190024fc55e22e38bd189c1685efee2a3dd527c6dfcb2feeec525b8d6dc35aded1eac2423ed62bb2599bb6a9ea34e842c340
-
Filesize
1.1MB
MD57af51031368619638cca688a7275db14
SHA164e2cc5ac5afe8a65af690047dc03858157e964c
SHA2567f02a99a23cc3ff63ecb10ba6006e2da7bf685530bad43882ebf90d042b9eeb6
SHA512fbde24501288ff9b06fc96faff5e7a1849765df239e816774c04a4a6ef54a0c641adf4325bfb116952082d3234baef12288174ad8c18b62407109f29aa5ab326
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
106B
MD5e24834f7ee8cf79c64bad3c8b584c544
SHA1cfab87d796f5ea2d859c79b031f27989f5c8db8e
SHA256396bc8928db2bf0bab219079382ab3d59f2583a520b04733536a06862f937737
SHA5129c60f85ab02992a7aa33b0804908fe1750fa033ab5d706228095ff8eb2613c1bfb5fb3a50c96ff9ef00de449bd6b49f1de451066787ced637740e1245e424594
-
Filesize
236B
MD56e94c3b45fb8800584700c41110ede32
SHA1d0f84586a043845f8c8f27699ed0bb6f2d65971c
SHA2563c116f72cbd04239eeea6b4ec789d47c9fe9c946ff9cdc16bd792a9fc55bbde7
SHA512c3cda3dadd3df7067812139d5598f9fd2d6cd9f7afeab51820a8fbf44d8ab489944cd8e04b73a8391ee043401c06e550bcf79b9892fb520e7ac6bb982b04f516
-
Filesize
2.2MB
MD525e509398197efe59f7f088c75833914
SHA13c0482b5e12a1df6f184b43b4f87041140e2d163
SHA25666d0f44a9c53f8874252142bd6334ab2e3373e42bd4ba9fda3b337f8eb5d1805
SHA51235eba476c6f013aabefdd192a64bf0b5debf87a7e66ec59b87c083f39cb6a496209ff73e7492432580b581a06ae1ebe1d4de6c225f470f17b371fe1f8c3b8452