Analysis
-
max time kernel
91s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 03:55
Behavioral task
behavioral1
Sample
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
6fa32b421f0866b58f05526f85b6d590
-
SHA1
fb2463e84c81171c07f1cd6f4b661231cc6e01c2
-
SHA256
f3227b8dbb23c0388c1c761da0751316e0963dac4e15ed1a62c92a8a2d0a4601
-
SHA512
e74839e7e6b7e7c3c78e658878f86813c1470d881110c0b2ee96e859dd9f9dccb89561d83aafbafdbf682eafbb40e92cc129aa489f067dc94861113109d7dd45
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\unsecapp.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\upfc.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\fontdrvhost.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\upfc.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4784 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3692 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3292 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 520 1416 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 1416 schtasks.exe -
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exeunsecapp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe -
Processes:
resource yara_rule behavioral2/memory/464-1-0x00000000003F0000-0x00000000006B0000-memory.dmp dcrat C:\Program Files\Uninstall Information\SppExtComObj.exe dcrat C:\Program Files\Java\jre8\lib\upfc.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
unsecapp.exepid process 3308 unsecapp.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Java\\jre8\\lib\\upfc.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Common Files\\DESIGNER\\fontdrvhost.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Java\\jre8\\lib\\upfc.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Common Files\\DESIGNER\\fontdrvhost.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Processes:
unsecapp.exe6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Drops file in Program Files directory 32 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\RCX6026.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\spoolsv.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre8\lib\upfc.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\uk-UA\ea9f0e6c9e2dcd 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\es-ES\6203df4a6bafc7 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Media Player\uk-UA\taskhostw.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Security\StartMenuExperienceHost.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\RCX64AC.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\uk-UA\taskhostw.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Java\jre8\lib\upfc.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Security\RCX5A18.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre8\lib\RCX6D4C.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\DESIGNER\RCX6FEC.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\6ccacd8608530f 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Uninstall Information\SppExtComObj.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\Idle.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\e1ef82546f0b02 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Windows NT\Accessories\en-US\spoolsv.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Media Player\uk-UA\RCX5E22.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\RCX622B.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Windows Security\StartMenuExperienceHost.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\Idle.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Java\jre8\lib\ea1d8f6d871115 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Windows NT\Accessories\en-US\f3b6ecef712a24 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\RCX66C1.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Windows Security\55b276f4edf653 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\SppExtComObj.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Common Files\DESIGNER\5b884080fd4f94 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process File created C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\9e8d7a4ca61bd9 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\RCX5C1D.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1780 schtasks.exe 3292 schtasks.exe 2860 schtasks.exe 4608 schtasks.exe 1896 schtasks.exe 4784 schtasks.exe 5112 schtasks.exe 3112 schtasks.exe 4960 schtasks.exe 520 schtasks.exe 2700 schtasks.exe 1856 schtasks.exe 4564 schtasks.exe 5012 schtasks.exe 1756 schtasks.exe 1008 schtasks.exe 2792 schtasks.exe 4300 schtasks.exe 1648 schtasks.exe 2392 schtasks.exe 3780 schtasks.exe 2688 schtasks.exe 320 schtasks.exe 4828 schtasks.exe 4916 schtasks.exe 3952 schtasks.exe 4532 schtasks.exe 3572 schtasks.exe 2348 schtasks.exe 4876 schtasks.exe 2628 schtasks.exe 4664 schtasks.exe 3692 schtasks.exe 1376 schtasks.exe 3800 schtasks.exe 2196 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exepowershell.exeunsecapp.exepid process 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 4460 powershell.exe 4460 powershell.exe 3308 unsecapp.exe 3308 unsecapp.exe 3308 unsecapp.exe 3308 unsecapp.exe 3308 unsecapp.exe 3308 unsecapp.exe 3308 unsecapp.exe 3308 unsecapp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exepowershell.exeunsecapp.exedescription pid process Token: SeDebugPrivilege 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Token: SeDebugPrivilege 4460 powershell.exe Token: SeDebugPrivilege 3308 unsecapp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.execmd.exedescription pid process target process PID 464 wrote to memory of 4460 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe powershell.exe PID 464 wrote to memory of 4460 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe powershell.exe PID 464 wrote to memory of 3564 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe cmd.exe PID 464 wrote to memory of 3564 464 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe cmd.exe PID 3564 wrote to memory of 1552 3564 cmd.exe w32tm.exe PID 3564 wrote to memory of 1552 3564 cmd.exe w32tm.exe PID 3564 wrote to memory of 3308 3564 cmd.exe unsecapp.exe PID 3564 wrote to memory of 3308 3564 cmd.exe unsecapp.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
unsecapp.exe6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bHlpqKHqcm.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1552
-
-
C:\Users\Default User\unsecapp.exe"C:\Users\Default User\unsecapp.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3308
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\en-US\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre8\lib\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\lib\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre8\lib\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5101244fe43bfd248259c66f11280293b
SHA1639be789566d70cab68376d70bc8a5aa058e7f0b
SHA25624a1ed8397d97d35d02ee9f37a53ef201ea51d2504e40578c2659cbf8c57cd85
SHA512de2208eafe48b23060a36bf154b29440b7c0848ee03ccddb720857f22959181d985aa2faad5de34c26e974d023531a59a85ed1cf8869031e4b65e55e531ea912
-
Filesize
2.7MB
MD56fa32b421f0866b58f05526f85b6d590
SHA1fb2463e84c81171c07f1cd6f4b661231cc6e01c2
SHA256f3227b8dbb23c0388c1c761da0751316e0963dac4e15ed1a62c92a8a2d0a4601
SHA512e74839e7e6b7e7c3c78e658878f86813c1470d881110c0b2ee96e859dd9f9dccb89561d83aafbafdbf682eafbb40e92cc129aa489f067dc94861113109d7dd45
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
199B
MD5aa1f28488ded42ac143e765c6790a539
SHA14e8764a2c5f9396243201654837982a38b1e6371
SHA256d4e67fb656ec1ed1ab87e748fcb7305837f581fd2a139e51a9e83373faf4e714
SHA512549dbceef2c89be04f903861cb27f2d58703c6c7ccc85724397553b4a5d35eb61a42461da6d5dd34a566eca07e6393bea3761bd445e03f393fbf9eca9aecc047