Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 04:09
Behavioral task
behavioral1
Sample
734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe
-
Size
1.0MB
-
MD5
734f4ee215cafb87214221d572d5c660
-
SHA1
36b2b6ceae28a15c765dc28c19a6cebfe39866d5
-
SHA256
6637617b15474b43846983ba5fec458473677fd52408d6f09eaf557a8daa9d5a
-
SHA512
2070b0a7163280a48590955a8063869bbf521048163fe5e993283a06d92b25e7ca6b33782db1cd89f7631c21b646956cf42622e5945c6ba67f1f6ff962604a21
-
SSDEEP
12288:zXDkXlsYZVs6NanExuLCEHFT5J90YJqNn4qiXY+ii94vX1lnXMquJTloyf5II2xO:zzysYZV+Ec1OZ4XY+iLNXuJxXb
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2620 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2620 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2116-1-0x0000000000DD0000-0x0000000000EE0000-memory.dmp dcrat C:\Program Files (x86)\Microsoft Office\Templates\dllhost.exe dcrat behavioral1/memory/2208-52-0x0000000000B70000-0x0000000000C80000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 868 powershell.exe 1576 powershell.exe 2200 powershell.exe 1248 powershell.exe 1840 powershell.exe 2596 powershell.exe 2024 powershell.exe 1832 powershell.exe 2604 powershell.exe 1680 powershell.exe 2264 powershell.exe 2948 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 2208 explorer.exe -
Drops file in Program Files directory 8 IoCs
Processes:
734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Mail\it-IT\csrss.exe 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\it-IT\886983d96e3d3e 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Program Files\DVD Maker\ja-JP\spoolsv.exe 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Program Files\DVD Maker\ja-JP\f3b6ecef712a24 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Office\Templates\dllhost.exe 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Office\Templates\5940a34987c991 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Program Files (x86)\Internet Explorer\csrss.exe 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Program Files (x86)\Internet Explorer\886983d96e3d3e 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe -
Drops file in Windows directory 8 IoCs
Processes:
734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exedescription ioc process File created C:\Windows\Vss\Writers\Application\System.exe 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Windows\Vss\Writers\Application\27d1bcfc3c54e0 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Windows\twain_32\audiodg.exe 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File opened for modification C:\Windows\twain_32\audiodg.exe 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Windows\twain_32\42af1c969fbb7b 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\smss.exe 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Windows\rescache\winlogon.exe 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe File created C:\Windows\Boot\sppsvc.exe 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2252 schtasks.exe 296 schtasks.exe 2192 schtasks.exe 2900 schtasks.exe 2776 schtasks.exe 1264 schtasks.exe 1480 schtasks.exe 2688 schtasks.exe 2808 schtasks.exe 2212 schtasks.exe 1836 schtasks.exe 1516 schtasks.exe 2568 schtasks.exe 3028 schtasks.exe 2244 schtasks.exe 1760 schtasks.exe 3000 schtasks.exe 1644 schtasks.exe 2752 schtasks.exe 1600 schtasks.exe 2796 schtasks.exe 604 schtasks.exe 1036 schtasks.exe 1528 schtasks.exe 2100 schtasks.exe 2440 schtasks.exe 1364 schtasks.exe 1900 schtasks.exe 796 schtasks.exe 2492 schtasks.exe 2664 schtasks.exe 2056 schtasks.exe 2508 schtasks.exe 2012 schtasks.exe 1748 schtasks.exe 1744 schtasks.exe 3040 schtasks.exe 2800 schtasks.exe 2128 schtasks.exe 3060 schtasks.exe 2560 schtasks.exe 1712 schtasks.exe 2536 schtasks.exe 264 schtasks.exe 2328 schtasks.exe 2920 schtasks.exe 1992 schtasks.exe 284 schtasks.exe 2448 schtasks.exe 2756 schtasks.exe 2612 schtasks.exe 2836 schtasks.exe 1144 schtasks.exe 1820 schtasks.exe 2872 schtasks.exe 1652 schtasks.exe 324 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exepid process 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe 1840 powershell.exe 2024 powershell.exe 2948 powershell.exe 2596 powershell.exe 1832 powershell.exe 1680 powershell.exe 1576 powershell.exe 2264 powershell.exe 2200 powershell.exe 1248 powershell.exe 868 powershell.exe 2604 powershell.exe 2208 explorer.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 2208 explorer.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exedescription pid process target process PID 2116 wrote to memory of 2596 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2596 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2596 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1840 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1840 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1840 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 868 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 868 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 868 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1832 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1832 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1832 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2024 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2024 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2024 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2948 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2948 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2948 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2264 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2264 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2264 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2200 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2200 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2200 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1576 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1576 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1576 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1680 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1680 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1680 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2604 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2604 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2604 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1248 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1248 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 1248 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe powershell.exe PID 2116 wrote to memory of 2208 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe explorer.exe PID 2116 wrote to memory of 2208 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe explorer.exe PID 2116 wrote to memory of 2208 2116 734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\734f4ee215cafb87214221d572d5c660_NeikiAnalytics.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\Crashpad\reports\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\Application\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\Application\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5734f4ee215cafb87214221d572d5c660
SHA136b2b6ceae28a15c765dc28c19a6cebfe39866d5
SHA2566637617b15474b43846983ba5fec458473677fd52408d6f09eaf557a8daa9d5a
SHA5122070b0a7163280a48590955a8063869bbf521048163fe5e993283a06d92b25e7ca6b33782db1cd89f7631c21b646956cf42622e5945c6ba67f1f6ff962604a21
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5245524c24489b2cb78531027175f610f
SHA16dfaf01002c95eb98a713c81ca44bd9b63ec1026
SHA2563512bc96721f73a7b60bd2f4fda5db48c4de2f5566fca8562d8acfe368d3bc5e
SHA512ca8a549dbb29224a2b296be1a0ad3b90360adeeac9dffdf44a5489ba4b4b9adb03bee51ba284a283ac736869e1bf3e45959494fc1734e7d9bab18f71e88acfe7