Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 06:50
Behavioral task
behavioral1
Sample
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
990d69ce8a7a58fa44a5071429041ff0
-
SHA1
0f2603214e0b81c26a094b7e5fe76b7fa40be4b1
-
SHA256
15da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce
-
SHA512
6197dbd8e964fcc41df771b3defc6e0e2186c93d275bbd9fcc9745298cf3d3631fbfcd21058c2257a8d80f7fe258bcd33d5dbbe23d6b66702297aeeb2edb00dc
-
SSDEEP
49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2480 schtasks.exe -
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
Processes:
resource yara_rule behavioral1/memory/2220-1-0x0000000001380000-0x0000000001666000-memory.dmp dcrat C:\Program Files\Windows Mail\de-DE\csrss.exe dcrat behavioral1/memory/896-118-0x00000000008A0000-0x0000000000B86000-memory.dmp dcrat behavioral1/memory/2828-131-0x0000000000270000-0x0000000000556000-memory.dmp dcrat behavioral1/memory/448-144-0x0000000000850000-0x0000000000B36000-memory.dmp dcrat behavioral1/memory/1860-156-0x00000000003E0000-0x00000000006C6000-memory.dmp dcrat behavioral1/memory/2104-168-0x0000000001260000-0x0000000001546000-memory.dmp dcrat behavioral1/memory/2492-181-0x00000000001A0000-0x0000000000486000-memory.dmp dcrat behavioral1/memory/2280-194-0x0000000000240000-0x0000000000526000-memory.dmp dcrat behavioral1/memory/2924-207-0x0000000000D10000-0x0000000000FF6000-memory.dmp dcrat behavioral1/memory/1704-220-0x0000000000250000-0x0000000000536000-memory.dmp dcrat behavioral1/memory/2612-232-0x00000000003B0000-0x0000000000696000-memory.dmp dcrat behavioral1/memory/2392-244-0x00000000011F0000-0x00000000014D6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2288 powershell.exe 2308 powershell.exe 1560 powershell.exe 1576 powershell.exe 1860 powershell.exe 2020 powershell.exe 1752 powershell.exe 1456 powershell.exe 1580 powershell.exe 2032 powershell.exe 1992 powershell.exe 2344 powershell.exe -
Executes dropped EXE 11 IoCs
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exepid process 896 csrss.exe 2828 csrss.exe 448 csrss.exe 1860 csrss.exe 2104 csrss.exe 2492 csrss.exe 2280 csrss.exe 2924 csrss.exe 1704 csrss.exe 2612 csrss.exe 2392 csrss.exe -
Processes:
csrss.execsrss.execsrss.exe990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Program Files directory 8 IoCs
Processes:
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\sppsvc.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\0a1fd5f707cd16 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\de-DE\RCX11CD.tmp 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\RCX13D1.tmp 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\sppsvc.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Program Files\Windows Mail\de-DE\csrss.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\de-DE\csrss.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Program Files\Windows Mail\de-DE\886983d96e3d3e 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2392 schtasks.exe 2816 schtasks.exe 1360 schtasks.exe 2828 schtasks.exe 1364 schtasks.exe 884 schtasks.exe 2552 schtasks.exe 2492 schtasks.exe 2820 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exepid process 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe 2308 powershell.exe 1580 powershell.exe 1456 powershell.exe 1576 powershell.exe 2288 powershell.exe 2344 powershell.exe 1752 powershell.exe 2032 powershell.exe 1860 powershell.exe 1992 powershell.exe 1560 powershell.exe 2020 powershell.exe 896 csrss.exe 2828 csrss.exe 448 csrss.exe 1860 csrss.exe 2104 csrss.exe 2492 csrss.exe 2280 csrss.exe 2924 csrss.exe 1704 csrss.exe 2612 csrss.exe 2392 csrss.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription pid process Token: SeDebugPrivilege 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 896 csrss.exe Token: SeDebugPrivilege 2828 csrss.exe Token: SeDebugPrivilege 448 csrss.exe Token: SeDebugPrivilege 1860 csrss.exe Token: SeDebugPrivilege 2104 csrss.exe Token: SeDebugPrivilege 2492 csrss.exe Token: SeDebugPrivilege 2280 csrss.exe Token: SeDebugPrivilege 2924 csrss.exe Token: SeDebugPrivilege 1704 csrss.exe Token: SeDebugPrivilege 2612 csrss.exe Token: SeDebugPrivilege 2392 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.exedescription pid process target process PID 2220 wrote to memory of 1752 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1752 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1752 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1580 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1580 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1580 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1992 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1992 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1992 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1576 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1576 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1576 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1560 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1560 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1560 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2344 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2344 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2344 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2288 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2288 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2288 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1456 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1456 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1456 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2308 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2308 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2308 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1860 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1860 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 1860 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2032 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2032 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2032 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2020 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2020 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 2020 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2220 wrote to memory of 896 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe csrss.exe PID 2220 wrote to memory of 896 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe csrss.exe PID 2220 wrote to memory of 896 2220 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe csrss.exe PID 896 wrote to memory of 2456 896 csrss.exe WScript.exe PID 896 wrote to memory of 2456 896 csrss.exe WScript.exe PID 896 wrote to memory of 2456 896 csrss.exe WScript.exe PID 896 wrote to memory of 2108 896 csrss.exe WScript.exe PID 896 wrote to memory of 2108 896 csrss.exe WScript.exe PID 896 wrote to memory of 2108 896 csrss.exe WScript.exe PID 2456 wrote to memory of 2828 2456 WScript.exe csrss.exe PID 2456 wrote to memory of 2828 2456 WScript.exe csrss.exe PID 2456 wrote to memory of 2828 2456 WScript.exe csrss.exe PID 2828 wrote to memory of 2052 2828 csrss.exe WScript.exe PID 2828 wrote to memory of 2052 2828 csrss.exe WScript.exe PID 2828 wrote to memory of 2052 2828 csrss.exe WScript.exe PID 2828 wrote to memory of 1720 2828 csrss.exe WScript.exe PID 2828 wrote to memory of 1720 2828 csrss.exe WScript.exe PID 2828 wrote to memory of 1720 2828 csrss.exe WScript.exe PID 2052 wrote to memory of 448 2052 WScript.exe csrss.exe PID 2052 wrote to memory of 448 2052 WScript.exe csrss.exe PID 2052 wrote to memory of 448 2052 WScript.exe csrss.exe PID 448 wrote to memory of 1180 448 csrss.exe WScript.exe PID 448 wrote to memory of 1180 448 csrss.exe WScript.exe PID 448 wrote to memory of 1180 448 csrss.exe WScript.exe PID 448 wrote to memory of 3060 448 csrss.exe WScript.exe PID 448 wrote to memory of 3060 448 csrss.exe WScript.exe PID 448 wrote to memory of 3060 448 csrss.exe WScript.exe PID 1180 wrote to memory of 1860 1180 WScript.exe csrss.exe -
System policy modification 1 TTPs 36 IoCs
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2220 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:896 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\185407a1-ef0e-49cb-bb20-f12afe194798.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2828 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65ece361-dcc8-4f65-a168-3819c64827e4.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:448 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0820b82f-a8e5-40b9-9995-cf1648b2048c.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db8388fb-6b8b-4fda-9e41-6e3429531204.vbs"9⤵PID:2888
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2104 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd99fce0-ac1b-46fd-9122-36b30a3e3fbf.vbs"11⤵PID:2552
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2492 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77706628-256a-49f6-8c13-a93066434f0b.vbs"13⤵PID:2320
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2280 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07944de0-2386-49f3-91c3-da6a00fac3b5.vbs"15⤵PID:1576
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2924 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bef2283-08d7-4f2f-bd3c-589bdc35db91.vbs"17⤵PID:2252
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1704 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65017ef3-98ba-4741-9dd2-eefad4c3ce61.vbs"19⤵PID:2420
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2612 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a26a97e-cb72-4e26-943a-07127c6e85ef.vbs"21⤵PID:2828
-
C:\Program Files\Windows Mail\de-DE\csrss.exe"C:\Program Files\Windows Mail\de-DE\csrss.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2392 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\524ae021-d61c-4395-8cf9-750c7515d172.vbs"23⤵PID:2856
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3473047-791a-4789-8d9c-f75c66375ea1.vbs"23⤵PID:2900
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\671c2fdd-fae3-4bf4-87e8-e28394d58414.vbs"21⤵PID:2844
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ff5d5e5-5242-40a8-b8e3-7cc09728c1c6.vbs"19⤵PID:896
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93a1f5eb-8af0-4260-b151-4f064e3d1a0b.vbs"17⤵PID:2300
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d1c1e8d-cc21-41da-af0d-dd50df4c0d25.vbs"15⤵PID:1900
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8b85c59-4d2e-460d-b78c-f6c272b2f1e2.vbs"13⤵PID:2576
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2842139-e063-4a4d-a0fb-3d6d9acde562.vbs"11⤵PID:1360
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\449b550b-8a6b-4954-af14-4cff9cbf12fb.vbs"9⤵PID:824
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\851a19cf-dab5-4d14-b289-10fcb40586d1.vbs"7⤵PID:3060
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72caf75e-cad9-4781-8c2e-d913ab3af909.vbs"5⤵PID:1720
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86f77dcd-f637-4fda-a349-7269bc1d1464.vbs"3⤵PID:2108
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5990d69ce8a7a58fa44a5071429041ff0
SHA10f2603214e0b81c26a094b7e5fe76b7fa40be4b1
SHA25615da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce
SHA5126197dbd8e964fcc41df771b3defc6e0e2186c93d275bbd9fcc9745298cf3d3631fbfcd21058c2257a8d80f7fe258bcd33d5dbbe23d6b66702297aeeb2edb00dc
-
Filesize
721B
MD5b85c680e42ae7325f2970a235c35481a
SHA13413f4359e482a28144e02cd2485dabc18b1a4fa
SHA25656a21c249829a2b58d8c64ad5b4a4dd4b4cbd3912cf8fbbdf6326e5602cd5dff
SHA51228e20a50b1534fbd9f408f3851c773150a56053eb326f37dcc9996e9c0867baaad936a8a4306c66a945d190073c3de5703d5ffce7597d0e137e0c3533fe49533
-
Filesize
720B
MD5b2517e499e7e45e6a0791434e68181b2
SHA1dc19e8ff24c8e26c955934e3e29d0dd67f0ce616
SHA256e4adfd608ba47a0b20c391eac662f093a64d36afdfa59ec6d30a30c71fef279d
SHA512ef606e08b0568af1a55807064e274819b96a5bda2549d527689d66a0cca87457a554c62f2864df733a97d54a58bc06706a6481d39a097019b83ae43872792b5b
-
Filesize
720B
MD566cf3a20220273c5e71109453542dced
SHA1a172037c4b13682e67f219d0660b424a0c1ce3c1
SHA256c6bc0c2a2abbbb6bb52b3847c69403697e00a1e513307204ec4fe05256960254
SHA51218b157b70f981cf7291bd541ca9fc2d49c9270b292c13a50b68b5b403ba970f03890379f902bb176c295f56e521afece06b466db89713b864d3e2250f4aee26a
-
Filesize
721B
MD57042f00ace6c18776e57d17a7c783ccf
SHA1ccf358100ada7489ee453d2887fc37dd1ef51022
SHA2565b161c16c1dbbb40db8eff34318e42fb17835e4775b0379a4c4bcdb060fee797
SHA51204d8c20609910d9b190ad521ce9504193176d02de08e0afd2b5d6c36d138c4d3477b1f3965962027f8a1cb74a2e8c849279b42de0bb3f12eafcfcae2e06d7910
-
Filesize
721B
MD5476d971f89330107b7c06f23ce803ac5
SHA1a210d1d1824aa46d4b44abc73cc46cb569f7b164
SHA256177ddcc57607059d4b1f3d56186540baf5e1e31375c34698453e41dd971128f9
SHA51227be343f03ac0f7df4f0c2a39aa70ea0ed2d3918641e0a7c4e08d8b919e3a71701da40c2f4e43c838fa1e00be56f982b54af863b8565b99892944b58ad79fd8a
-
Filesize
721B
MD5b908f0c392f825711b0b8e73d6a4fd79
SHA189d8808ca252661c8e97bfaf4b6ceca38bd00adb
SHA256b2133f2c397672a8e286884931600e7262dcc35a9d20a16ab023db9fabeb4316
SHA51298693a790d0334e81679b4b40afc703a3534aca13517a4e9e59dc5834f69949153e72506bd7885d1e740cc4471a035661969b6454e33305bca0601a7dbf95caa
-
Filesize
721B
MD5dbc3670b7e54318c9d139381aa50ac1a
SHA1b72b3f3a83c151275d51c51ecd73972879bbd88e
SHA2560ec2b4834bc5c3b05dd3035910d35cb347d64895833cff18dfb5723b33da4232
SHA51261691ffa05de7cafee9f86d595ea131f6daaf822c1d70066204554b63da87a37ed6a183c17892b27fc3b81defde4fabe10eaa69addf46d8d08d990919e7c4eba
-
Filesize
721B
MD543e3ed2cf8d89d8ddb9b15b566992d7b
SHA1421ab5583ddf409a7cea009bec768af0c602ec8d
SHA256bcf001e61d5cd73b74bf90b25816fe04665ba571cc3bec907cb0af413f51b971
SHA512c145147bb7f47134cf0b34aa7e0a196d512a1f5884803a0380fe8bc3ee3d078be59da950f0f2d68a4788a81240b30740783bd0ca95346d64e88ec3c8c9941861
-
Filesize
721B
MD5b3fb0ac7cf772b52c32198c5707c7926
SHA10cfc4cfb769d892f253e7d877821198a0d9208b5
SHA25612996765895ba0f75169050a6cfc5d3f97eee8cc2d35c2881125fe062766d0ff
SHA512bded42fcfa8a87838458301bcb3d89bfbd5d5ffdae817049fc42ed3827e8b1ea2a44ee79a964b73efb8c9977b13f0408360b1d386f5b16802a58a54e212642de
-
Filesize
497B
MD555c80bb6c9e1e4569c12a5b003cab0f5
SHA1173abb8e1265107471493955ab6f52d7f737fe2d
SHA256b52e830b23dce56896a3898b05a0d86c97677f6bd6cf45c40630943ac212ffcd
SHA512824888baaf54dbb6ceef4fd33d959f689267077a26203942d8dd55b2a6304bbff3d3ac47ff07f2c86934e08611545d45da72d8c5526fa22b37bc882c6f62a99c
-
Filesize
721B
MD566d5ec05564f3c0e3861b1a1192a5c79
SHA1baef26ef799656e6c0730a0e915bc9687fdc8071
SHA25694c4f7e9becc90a95b648a49ff877b38323e83ebdaebb464e0cc5db8414b107d
SHA512ab7838944ede9694a51ddf16c99b3906a3c47c9f594b1afd0097b47d0af289f596d0b6000a24391859f684dfeda14c38ffb3916050e0c85dcb77a72c0f0a31f0
-
Filesize
721B
MD503f259e9b11c4ef337de944d179e2da3
SHA146f4d0e205ed0cf30a53709760c2a66b2d0ffe39
SHA256c0830df31e73b261c598ac280d68b0691c3030ea36cc7ee841a3dfa32e53ace4
SHA5120b55b020f58031436f85a4ef03e8eaf5babfbee63f59898f1890984ee0e9ffbe89f27d7be3d391c77b07cdacb20a04212cef63496606bb9102a2fad356c5c284
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c99a21ce2b39cffcb0d6badf380f5534
SHA1edb9f580761ea4ae8de8120e90128e7d12b69b42
SHA2560999f3f83992f1c07efdf50f5497b60afe80e8c7cc99daef7d1951d324c76fe3
SHA5125c107696937d089371c705669d8edb83d39c2ec1380664d313306186e08e50afb9103278734aebd6cbc2eb8122cce5be6d80aabeb8b88bae9f19ac605a4967a4