Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 06:37
Behavioral task
behavioral1
Sample
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
95f59fe3c8e5e66dbd3ec28962845e10
-
SHA1
465475ba13cbd5282c197bea754d7be3cca36338
-
SHA256
e105fa995b33fb8c05d0853890b99965dc5aae8fc37c4d365a2e4dcce6819ce6
-
SHA512
03adbe754f1110cf16c04a8e61f8df6f5cc065b1392fd7d4e1ca2ef5d6294dd9dea0c4a902181282dd1e7972d592031abbee2c768b67dc4df92d19e346f5a824
-
SSDEEP
49152:yH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:yHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\csrss.exe\", \"C:\\Windows\\SoftwareDistribution\\AuthCabs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Users\\Default\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\csrss.exe\", \"C:\\Windows\\SoftwareDistribution\\AuthCabs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe\", \"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\", \"C:\\Users\\Admin\\winlogon.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\csrss.exe\", \"C:\\Windows\\SoftwareDistribution\\AuthCabs\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\", \"C:\\Windows\\Migration\\WTR\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\", \"C:\\Windows\\fr-FR\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 488 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2632 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2632 schtasks.exe -
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Processes:
resource yara_rule behavioral1/memory/2044-1-0x00000000001C0000-0x0000000000480000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\spoolsv.exe dcrat C:\Users\Default\RCX3000.tmp dcrat C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\RCX3204.tmp dcrat behavioral1/memory/1912-185-0x00000000001F0000-0x00000000004B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 1912 csrss.exe -
Adds Run key to start application 2 TTPs 32 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\fr-FR\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\SoftwareDistribution\\AuthCabs\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\winlogon.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Documents\\My Pictures\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\fr-FR\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\winlogon.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Documents\\My Pictures\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Migration\\WTR\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Migration\\WTR\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Google\\CrashReports\\dllhost.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\SoftwareDistribution\\AuthCabs\\spoolsv.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\lsass.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Processes:
csrss.exe95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe -
Drops file in Program Files directory 20 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Internet Explorer\en-US\6203df4a6bafc7 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\6ece0f37f4ea72 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\RCX1D03.tmp 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX2BF8.tmp 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\lsm.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\CrashReports\dllhost.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files\Common Files\886983d96e3d3e 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\101b941d020240 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\RCX3408.tmp 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\CrashReports\5940a34987c991 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\dllhost.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files\Common Files\csrss.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\lsm.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\csrss.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\RCX3A13.tmp 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX3C84.tmp 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Drops file in Windows directory 12 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process File created C:\Windows\SoftwareDistribution\AuthCabs\spoolsv.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Windows\Migration\WTR\RCX1F07.tmp 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Windows\Migration\WTR\csrss.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Windows\SoftwareDistribution\AuthCabs\spoolsv.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Windows\Migration\WTR\886983d96e3d3e 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Windows\fr-FR\spoolsv.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Windows\SoftwareDistribution\AuthCabs\f3b6ecef712a24 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Windows\fr-FR\RCX2716.tmp 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Windows\fr-FR\spoolsv.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Windows\SoftwareDistribution\AuthCabs\RCX380F.tmp 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Windows\Migration\WTR\csrss.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Windows\fr-FR\f3b6ecef712a24 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 616 schtasks.exe 1328 schtasks.exe 1820 schtasks.exe 2256 schtasks.exe 1708 schtasks.exe 2580 schtasks.exe 1876 schtasks.exe 1324 schtasks.exe 1112 schtasks.exe 1452 schtasks.exe 1164 schtasks.exe 2112 schtasks.exe 1928 schtasks.exe 1764 schtasks.exe 488 schtasks.exe 2900 schtasks.exe 2752 schtasks.exe 2528 schtasks.exe 2952 schtasks.exe 848 schtasks.exe 2976 schtasks.exe 704 schtasks.exe 1796 schtasks.exe 2488 schtasks.exe 2192 schtasks.exe 2708 schtasks.exe 1448 schtasks.exe 2160 schtasks.exe 2312 schtasks.exe 1372 schtasks.exe 2320 schtasks.exe 2508 schtasks.exe 2616 schtasks.exe 2216 schtasks.exe 1588 schtasks.exe 764 schtasks.exe 2784 schtasks.exe 1196 schtasks.exe 2184 schtasks.exe 2936 schtasks.exe 2492 schtasks.exe 1964 schtasks.exe 628 schtasks.exe 2072 schtasks.exe 384 schtasks.exe 1228 schtasks.exe 2748 schtasks.exe 292 schtasks.exe -
Processes:
csrss.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 csrss.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exepowershell.execsrss.exepid process 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 1720 powershell.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe 1912 csrss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exepowershell.execsrss.exedescription pid process Token: SeDebugPrivilege 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 1912 csrss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.execmd.exedescription pid process target process PID 2044 wrote to memory of 1720 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe powershell.exe PID 2044 wrote to memory of 1720 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe powershell.exe PID 2044 wrote to memory of 1720 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe powershell.exe PID 2044 wrote to memory of 2764 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe cmd.exe PID 2044 wrote to memory of 2764 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe cmd.exe PID 2044 wrote to memory of 2764 2044 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe cmd.exe PID 2764 wrote to memory of 2680 2764 cmd.exe w32tm.exe PID 2764 wrote to memory of 2680 2764 cmd.exe w32tm.exe PID 2764 wrote to memory of 2680 2764 cmd.exe w32tm.exe PID 2764 wrote to memory of 1912 2764 cmd.exe csrss.exe PID 2764 wrote to memory of 1912 2764 cmd.exe csrss.exe PID 2764 wrote to memory of 1912 2764 cmd.exe csrss.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
csrss.exe95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tNGcxSjT0.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2680
-
-
C:\Program Files\Common Files\csrss.exe"C:\Program Files\Common Files\csrss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1912
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Documents\My Pictures\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\AuthCabs\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics9" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics9" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD595f59fe3c8e5e66dbd3ec28962845e10
SHA1465475ba13cbd5282c197bea754d7be3cca36338
SHA256e105fa995b33fb8c05d0853890b99965dc5aae8fc37c4d365a2e4dcce6819ce6
SHA51203adbe754f1110cf16c04a8e61f8df6f5cc065b1392fd7d4e1ca2ef5d6294dd9dea0c4a902181282dd1e7972d592031abbee2c768b67dc4df92d19e346f5a824
-
Filesize
2.7MB
MD5d13437ee39d6f2b1f09625f1caf0d4c5
SHA166442a5591c6e1512b05607ed5296645e1b84272
SHA25677a76936607bb50e2d4b6aa464ae66516c33ef49f98fc9cf1b9fa762039c6fd4
SHA512526e5c918e5e9ffc42c819c16cb26b0f123dff7ffe396cb8b6e81c7106dde26ce6b89e67c0793944a32cacdec8965598eff5c8ec488098e9b877cee41df54832
-
Filesize
204B
MD5f7ae452ea5da5749fd9cd2feedb0b24a
SHA1fb1ac0d22c35ed8253f3d6fba32e39b454d25f5b
SHA256433db3900e030df8929da34cea166139aa1f44a3398ed4b61d5b944fe199fcc8
SHA51249a7a6afb504c906b93ced9aa62b420c5d5784ecb3be13b32e10120ae7fedc7cfbe7e88c2100359865acf758f1f86db7c41d9ec28ba04fd0dd6abe73cc6581a1
-
Filesize
2.7MB
MD54b27e40b4a36f4c8c98d466957044756
SHA18d676275fa33ad879c09b7ea1480a4c0870a4c85
SHA2564a665614ae892ea73da08b38a39b6efd847f9d17f552de3968106e205512cfec
SHA5128ad5a5e67f14f071b68f0d96c59acce859901d57a732bf07e5619bdc78fdecc87c17411ab8674a0ac8d3faf642a41e33de52a87a51f6dd5114a590a0e29b0039