Analysis
-
max time kernel
136s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 06:37
Behavioral task
behavioral1
Sample
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
95f59fe3c8e5e66dbd3ec28962845e10
-
SHA1
465475ba13cbd5282c197bea754d7be3cca36338
-
SHA256
e105fa995b33fb8c05d0853890b99965dc5aae8fc37c4d365a2e4dcce6819ce6
-
SHA512
03adbe754f1110cf16c04a8e61f8df6f5cc065b1392fd7d4e1ca2ef5d6294dd9dea0c4a902181282dd1e7972d592031abbee2c768b67dc4df92d19e346f5a824
-
SSDEEP
49152:yH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:yHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\Camera Roll\\sppsvc.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\Camera Roll\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\Camera Roll\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\Camera Roll\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\RuntimeBroker.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3868 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3796 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 924 schtasks.exe -
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exeRuntimeBroker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral2/memory/2660-1-0x00000000008B0000-0x0000000000B70000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RuntimeBroker.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 2652 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Cookies\\RuntimeBroker.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\Pictures\\Camera Roll\\sppsvc.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\Pictures\\Camera Roll\\sppsvc.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Multimedia Platform\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Multimedia Platform\\csrss.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Cookies\\RuntimeBroker.exe\"" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exeRuntimeBroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe -
Drops file in Program Files directory 5 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process File created C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files\Windows Multimedia Platform\csrss.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File created C:\Program Files\Windows Multimedia Platform\886983d96e3d3e 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX42F8.tmp 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Multimedia Platform\csrss.exe 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1272 schtasks.exe 3024 schtasks.exe 1840 schtasks.exe 3176 schtasks.exe 1568 schtasks.exe 3796 schtasks.exe 384 schtasks.exe 2988 schtasks.exe 4228 schtasks.exe 852 schtasks.exe 1420 schtasks.exe 2260 schtasks.exe 3868 schtasks.exe 1480 schtasks.exe 2236 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exepowershell.exeRuntimeBroker.exepid process 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe 4388 powershell.exe 4388 powershell.exe 2652 RuntimeBroker.exe 2652 RuntimeBroker.exe 2652 RuntimeBroker.exe 2652 RuntimeBroker.exe 2652 RuntimeBroker.exe 2652 RuntimeBroker.exe 2652 RuntimeBroker.exe 2652 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exepowershell.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 2652 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.execmd.exedescription pid process target process PID 2660 wrote to memory of 4388 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe powershell.exe PID 2660 wrote to memory of 4388 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe powershell.exe PID 2660 wrote to memory of 4316 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe cmd.exe PID 2660 wrote to memory of 4316 2660 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe cmd.exe PID 4316 wrote to memory of 1452 4316 cmd.exe w32tm.exe PID 4316 wrote to memory of 1452 4316 cmd.exe w32tm.exe PID 4316 wrote to memory of 2652 4316 cmd.exe RuntimeBroker.exe PID 4316 wrote to memory of 2652 4316 cmd.exe RuntimeBroker.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exeRuntimeBroker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\95f59fe3c8e5e66dbd3ec28962845e10_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XOrWkEHkVb.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1452
-
-
C:\Users\Admin\Cookies\RuntimeBroker.exe"C:\Users\Admin\Cookies\RuntimeBroker.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2652
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Pictures\Camera Roll\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\Camera Roll\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD595f59fe3c8e5e66dbd3ec28962845e10
SHA1465475ba13cbd5282c197bea754d7be3cca36338
SHA256e105fa995b33fb8c05d0853890b99965dc5aae8fc37c4d365a2e4dcce6819ce6
SHA51203adbe754f1110cf16c04a8e61f8df6f5cc065b1392fd7d4e1ca2ef5d6294dd9dea0c4a902181282dd1e7972d592031abbee2c768b67dc4df92d19e346f5a824
-
Filesize
205B
MD54cd9980fff58c4c66c094f528c678d5c
SHA1427a5f4d7562b425c02cf922c2f0136d874a668b
SHA25621c8a62d323f64dd72b335ec9d25f2803b077951789c57eb895628a7a1d13000
SHA512739bc72ffaeb16c18b25475a6a1093c9351c78024e17700750aaccf4e3ce581f5beb0be8aca547d05da19adc8c6e0b3daeaa42106bcf812876c27fc346861977
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82