Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 01:27
Behavioral task
behavioral1
Sample
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
4bec34d79d2e920bf234f4836b54a5f0
-
SHA1
cc0cbb5240d0647f4e1ce31297c9be3dda6ff63e
-
SHA256
845318e1a65284778f53efd4f5d611e41dfe11138432d7e266e5568595d4f920
-
SHA512
0889b8a31da1da823438da8e747ed87acd54d6806519a5723328f3968ca6cb205953598dc84a58ab602d16c2e657aed3f6fd95355e797dc2e23bbfd3940ac862
-
SSDEEP
24576:sb0k+mAJhhjPadFWlFCj1braPSoSnj9w5pi2E4hsc9yhh8mtffogLrsyp:vk+Bh2LWlIlJO5U2B9u9fuy
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4044 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3700 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 652 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4356 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3232 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 2692 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2692 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/1328-1-0x00000000004D0000-0x0000000000638000-memory.dmp dcrat C:\Program Files\WindowsPowerShell\Modules\dwm.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
backgroundTaskHost.exepid process 3560 backgroundTaskHost.exe -
Drops file in Program Files directory 20 IoCs
Processes:
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\SppExtComObj.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\886983d96e3d3e 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\55b276f4edf653 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\e6c9b481da804f 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\e1ef82546f0b02 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\WindowsPowerShell\Modules\6cb0b6c459d5d3 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Office16\ea1d8f6d871115 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Retail\taskhostw.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\eddb19405b7ce1 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\WindowsPowerShell\Modules\dwm.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\en-US\66fc9ff0ee96c2 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Office16\upfc.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\SppExtComObj.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\csrss.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\9e8d7a4ca61bd9 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
Processes:
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exedescription ioc process File created C:\Windows\Microsoft.NET\authman\SearchApp.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Windows\Microsoft.NET\authman\38384e6a620884 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4696 schtasks.exe 2208 schtasks.exe 4608 schtasks.exe 652 schtasks.exe 3420 schtasks.exe 2952 schtasks.exe 1048 schtasks.exe 4968 schtasks.exe 3040 schtasks.exe 4872 schtasks.exe 3036 schtasks.exe 4432 schtasks.exe 2936 schtasks.exe 4044 schtasks.exe 3700 schtasks.exe 4212 schtasks.exe 4524 schtasks.exe 4488 schtasks.exe 624 schtasks.exe 3232 schtasks.exe 1656 schtasks.exe 2204 schtasks.exe 536 schtasks.exe 3180 schtasks.exe 4116 schtasks.exe 3268 schtasks.exe 404 schtasks.exe 548 schtasks.exe 4356 schtasks.exe 2084 schtasks.exe 1612 schtasks.exe 1336 schtasks.exe 4460 schtasks.exe 1460 schtasks.exe 2008 schtasks.exe 1616 schtasks.exe 4932 schtasks.exe 2824 schtasks.exe 4668 schtasks.exe 3800 schtasks.exe 3860 schtasks.exe 3160 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exebackgroundTaskHost.exepid process 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe 3560 backgroundTaskHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
backgroundTaskHost.exepid process 3560 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exebackgroundTaskHost.exedescription pid process Token: SeDebugPrivilege 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe Token: SeDebugPrivilege 3560 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exedescription pid process target process PID 1328 wrote to memory of 3560 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe backgroundTaskHost.exe PID 1328 wrote to memory of 3560 1328 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe backgroundTaskHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\authman\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\authman\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office16\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD54bec34d79d2e920bf234f4836b54a5f0
SHA1cc0cbb5240d0647f4e1ce31297c9be3dda6ff63e
SHA256845318e1a65284778f53efd4f5d611e41dfe11138432d7e266e5568595d4f920
SHA5120889b8a31da1da823438da8e747ed87acd54d6806519a5723328f3968ca6cb205953598dc84a58ab602d16c2e657aed3f6fd95355e797dc2e23bbfd3940ac862