Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 06:50
Behavioral task
behavioral1
Sample
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
990d69ce8a7a58fa44a5071429041ff0
-
SHA1
0f2603214e0b81c26a094b7e5fe76b7fa40be4b1
-
SHA256
15da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce
-
SHA512
6197dbd8e964fcc41df771b3defc6e0e2186c93d275bbd9fcc9745298cf3d3631fbfcd21058c2257a8d80f7fe258bcd33d5dbbe23d6b66702297aeeb2edb00dc
-
SSDEEP
49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3452 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 232 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 4744 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 496 4744 schtasks.exe -
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe -
Processes:
resource yara_rule behavioral2/memory/2020-1-0x0000000000360000-0x0000000000646000-memory.dmp dcrat C:\Users\Public\AccountPictures\upfc.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4480 powershell.exe 4356 powershell.exe 4540 powershell.exe 4560 powershell.exe 1476 powershell.exe 2284 powershell.exe 3160 powershell.exe 1724 powershell.exe 4864 powershell.exe 2572 powershell.exe 2652 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SppExtComObj.exe990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe -
Executes dropped EXE 13 IoCs
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exepid process 1056 SppExtComObj.exe 1452 SppExtComObj.exe 1356 SppExtComObj.exe 2844 SppExtComObj.exe 3800 SppExtComObj.exe 3240 SppExtComObj.exe 3772 SppExtComObj.exe 4540 SppExtComObj.exe 736 SppExtComObj.exe 1800 SppExtComObj.exe 4104 SppExtComObj.exe 2848 SppExtComObj.exe 4608 SppExtComObj.exe -
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe -
Drops file in Program Files directory 16 IoCs
Processes:
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\6cb0b6c459d5d3 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX5A5C.tmp 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX5E65.tmp 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\9e8d7a4ca61bd9 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\0a1fd5f707cd16 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\RCX4DC3.tmp 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX64F0.tmp 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Program Files\Windows Portable Devices\4a9bcf20ca9da3 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exedescription ioc process File created C:\Windows\ja-JP\taskhostw.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File created C:\Windows\ja-JP\ea9f0e6c9e2dcd 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Windows\ja-JP\RCX606A.tmp 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe File opened for modification C:\Windows\ja-JP\taskhostw.exe 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4736 schtasks.exe 5084 schtasks.exe 496 schtasks.exe 3020 schtasks.exe 4192 schtasks.exe 4304 schtasks.exe 2580 schtasks.exe 232 schtasks.exe 4404 schtasks.exe 3944 schtasks.exe 4616 schtasks.exe 4652 schtasks.exe 2092 schtasks.exe 1056 schtasks.exe 2984 schtasks.exe 3192 schtasks.exe 4680 schtasks.exe 1796 schtasks.exe 3488 schtasks.exe 2788 schtasks.exe 2216 schtasks.exe 464 schtasks.exe 1040 schtasks.exe 4536 schtasks.exe 4932 schtasks.exe 1080 schtasks.exe 552 schtasks.exe 3452 schtasks.exe 4756 schtasks.exe 2916 schtasks.exe 1464 schtasks.exe 3516 schtasks.exe 1680 schtasks.exe 4424 schtasks.exe 2828 schtasks.exe 1016 schtasks.exe -
Modifies registry class 14 IoCs
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exepid process 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe 3160 powershell.exe 3160 powershell.exe 2572 powershell.exe 2572 powershell.exe 4560 powershell.exe 4560 powershell.exe 2284 powershell.exe 2284 powershell.exe 4540 powershell.exe 4540 powershell.exe 1476 powershell.exe 1476 powershell.exe 1724 powershell.exe 1724 powershell.exe 2652 powershell.exe 2652 powershell.exe 4480 powershell.exe 4480 powershell.exe 4864 powershell.exe 4864 powershell.exe 3160 powershell.exe 4356 powershell.exe 4356 powershell.exe 4540 powershell.exe 2652 powershell.exe 2572 powershell.exe 4560 powershell.exe 2284 powershell.exe 1476 powershell.exe 4480 powershell.exe 1724 powershell.exe 4864 powershell.exe 4356 powershell.exe 1056 SppExtComObj.exe 1056 SppExtComObj.exe 1452 SppExtComObj.exe 1356 SppExtComObj.exe 2844 SppExtComObj.exe 3800 SppExtComObj.exe 3240 SppExtComObj.exe 3772 SppExtComObj.exe 4540 SppExtComObj.exe 736 SppExtComObj.exe 1800 SppExtComObj.exe 4104 SppExtComObj.exe 2848 SppExtComObj.exe 4608 SppExtComObj.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription pid process Token: SeDebugPrivilege 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Token: SeDebugPrivilege 3160 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 4480 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 4540 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe Token: SeDebugPrivilege 1056 SppExtComObj.exe Token: SeDebugPrivilege 1452 SppExtComObj.exe Token: SeDebugPrivilege 1356 SppExtComObj.exe Token: SeDebugPrivilege 2844 SppExtComObj.exe Token: SeDebugPrivilege 3800 SppExtComObj.exe Token: SeDebugPrivilege 3240 SppExtComObj.exe Token: SeDebugPrivilege 3772 SppExtComObj.exe Token: SeDebugPrivilege 4540 SppExtComObj.exe Token: SeDebugPrivilege 736 SppExtComObj.exe Token: SeDebugPrivilege 1800 SppExtComObj.exe Token: SeDebugPrivilege 4104 SppExtComObj.exe Token: SeDebugPrivilege 2848 SppExtComObj.exe Token: SeDebugPrivilege 4608 SppExtComObj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exedescription pid process target process PID 2020 wrote to memory of 2572 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 2572 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 4864 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 4864 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 3160 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 3160 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 2652 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 2652 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 1724 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 1724 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 4480 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 4480 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 4356 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 4356 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 4540 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 4540 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 4560 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 4560 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 1476 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 1476 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 2284 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 2284 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe powershell.exe PID 2020 wrote to memory of 1056 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe SppExtComObj.exe PID 2020 wrote to memory of 1056 2020 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe SppExtComObj.exe PID 1056 wrote to memory of 824 1056 SppExtComObj.exe WScript.exe PID 1056 wrote to memory of 824 1056 SppExtComObj.exe WScript.exe PID 1056 wrote to memory of 3928 1056 SppExtComObj.exe WScript.exe PID 1056 wrote to memory of 3928 1056 SppExtComObj.exe WScript.exe PID 824 wrote to memory of 1452 824 WScript.exe SppExtComObj.exe PID 824 wrote to memory of 1452 824 WScript.exe SppExtComObj.exe PID 1452 wrote to memory of 772 1452 SppExtComObj.exe WScript.exe PID 1452 wrote to memory of 772 1452 SppExtComObj.exe WScript.exe PID 1452 wrote to memory of 1760 1452 SppExtComObj.exe WScript.exe PID 1452 wrote to memory of 1760 1452 SppExtComObj.exe WScript.exe PID 772 wrote to memory of 1356 772 WScript.exe SppExtComObj.exe PID 772 wrote to memory of 1356 772 WScript.exe SppExtComObj.exe PID 1356 wrote to memory of 4192 1356 SppExtComObj.exe WScript.exe PID 1356 wrote to memory of 4192 1356 SppExtComObj.exe WScript.exe PID 1356 wrote to memory of 716 1356 SppExtComObj.exe WScript.exe PID 1356 wrote to memory of 716 1356 SppExtComObj.exe WScript.exe PID 4192 wrote to memory of 2844 4192 WScript.exe SppExtComObj.exe PID 4192 wrote to memory of 2844 4192 WScript.exe SppExtComObj.exe PID 2844 wrote to memory of 4968 2844 SppExtComObj.exe WScript.exe PID 2844 wrote to memory of 4968 2844 SppExtComObj.exe WScript.exe PID 2844 wrote to memory of 3980 2844 SppExtComObj.exe WScript.exe PID 2844 wrote to memory of 3980 2844 SppExtComObj.exe WScript.exe PID 4968 wrote to memory of 3800 4968 WScript.exe SppExtComObj.exe PID 4968 wrote to memory of 3800 4968 WScript.exe SppExtComObj.exe PID 3800 wrote to memory of 4760 3800 SppExtComObj.exe WScript.exe PID 3800 wrote to memory of 4760 3800 SppExtComObj.exe WScript.exe PID 3800 wrote to memory of 1648 3800 SppExtComObj.exe WScript.exe PID 3800 wrote to memory of 1648 3800 SppExtComObj.exe WScript.exe PID 4760 wrote to memory of 3240 4760 WScript.exe SppExtComObj.exe PID 4760 wrote to memory of 3240 4760 WScript.exe SppExtComObj.exe PID 3240 wrote to memory of 4908 3240 SppExtComObj.exe WScript.exe PID 3240 wrote to memory of 4908 3240 SppExtComObj.exe WScript.exe PID 3240 wrote to memory of 544 3240 SppExtComObj.exe WScript.exe PID 3240 wrote to memory of 544 3240 SppExtComObj.exe WScript.exe PID 4908 wrote to memory of 3772 4908 WScript.exe SppExtComObj.exe PID 4908 wrote to memory of 3772 4908 WScript.exe SppExtComObj.exe PID 3772 wrote to memory of 3548 3772 SppExtComObj.exe WScript.exe PID 3772 wrote to memory of 3548 3772 SppExtComObj.exe WScript.exe PID 3772 wrote to memory of 4088 3772 SppExtComObj.exe WScript.exe PID 3772 wrote to memory of 4088 3772 SppExtComObj.exe WScript.exe -
System policy modification 1 TTPs 42 IoCs
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\580e6d49-501c-483a-869b-dac2c20f6530.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1452 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efe6c4d6-13d3-4e30-bb46-2d5923511c87.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1356 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f42521d-d304-4ca0-9e07-96b98e367b7a.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2403ed1-88d0-4def-94ee-e65b0f5438fe.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3800 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69dcb746-bdfd-4d55-ac14-97726c13fc77.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3240 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16372a9e-090c-4b0f-832b-b6453d83b460.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3772 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\922bd387-fa3d-433a-a1b0-558a256367bf.vbs"15⤵PID:3548
-
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4540 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d97244f6-647f-4dcc-a433-4fdc7b4809ba.vbs"17⤵PID:3440
-
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feec2a2a-2a22-444b-b4d5-9b3ac93ccaad.vbs"19⤵PID:4600
-
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1800 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eefc39f-8364-43e6-b95b-0d7a62a6b78b.vbs"21⤵PID:4968
-
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4104 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b698445b-2e7d-46be-898b-796a0cecbce0.vbs"23⤵PID:496
-
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2848 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee3971d7-f84a-4037-9f97-58605f3f601c.vbs"25⤵PID:1324
-
C:\Users\Admin\3D Objects\SppExtComObj.exe"C:\Users\Admin\3D Objects\SppExtComObj.exe"26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4608 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a6f3239-54ca-47b9-a8f6-b302f98eff25.vbs"27⤵PID:3996
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d3da84c-652c-4ac1-bf84-5888f73f1a66.vbs"27⤵PID:4632
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\781357dd-8bdd-4b6c-8499-226a598bc7e4.vbs"25⤵PID:3452
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5e3fb83-6ccf-40c6-931c-977c41da27e1.vbs"23⤵PID:3148
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56b5a343-2940-468d-933d-cc46adec1221.vbs"21⤵PID:2968
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf6aa1e6-bb90-464b-9539-7e9cb709b362.vbs"19⤵PID:2756
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fb5868a-cc92-4405-b2de-4beb5cb645d7.vbs"17⤵PID:2448
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eedc1119-48bc-4ddd-8011-6398a5cd4d1b.vbs"15⤵PID:4088
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ae344fa-3040-415e-afad-f49448d84ed3.vbs"13⤵PID:544
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d4fdff9-780a-4e02-ba1e-9c47a6dbd49e.vbs"11⤵PID:1648
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53a9ee48-457d-46d3-9dfc-0b6b42d9c706.vbs"9⤵PID:3980
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bc53753-9262-40c8-b44d-4ce12fa3ff01.vbs"7⤵PID:716
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f4d8413-d2c1-49d0-84b6-d12268af822a.vbs"5⤵PID:1760
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72411b9a-1b64-411e-b136-f1c8f2904253.vbs"3⤵PID:3928
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\3D Objects\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\3D Objects\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\ja-JP\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics9" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics9" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:496
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD54c57d4745a160caa21b0ddaadf7a3f4d
SHA16e2d72fb79cf6dce1aacb775feb70bb012c584c9
SHA256568f9b885549846f2d1d25aa561398ab12f8b50b03a90de95c99b13a68cf097a
SHA5125dc3ca754c7df9b758aa50a3a4cecad7d2af824f75e0816e9af2c5a779e7b5c6d3a43f17f1b2169c303f5fab8584d211466ee4bf84b7052d2e1baeb957987d3f
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
718B
MD5e520781a2f5cf5037a50d8e54101b3be
SHA10e97edf01a45b093bb18eb803d4cdffdf3e74d2d
SHA2563ed1280e67dd66cb4f1093229f5d24aceb2172f1abc36e1ce9d4550c0e99c625
SHA51230bd8ec98470b81bc8023aa80852c319fc7cc97a752159fa3db8251e73459e4bddd0308b16da236e3e01ba37177fb9c1c7eed118c7e93bc9677e7f611f26b435
-
Filesize
718B
MD583bd100515a66a2b99a1bfcb0fbb6dc7
SHA1d719d105d95f35ebd9bf9fad2e876e6ec5aff719
SHA25698179becacdfb9b03928e7c3ea8b84f7aa9f8fd3d523f82de5c514a44c4b9085
SHA5129c78f77d28450900e127f5a85793e4761679b6eb408de4c880ad8a32540fcbfd171c5a837f8eb89d64a0c087aef50d6c855f8d71d6d3028930287c8f09f336f3
-
Filesize
718B
MD57201d8417f6d1871021949fc594ab97d
SHA12f087ecaba329d22b64c5f942a92713e81491800
SHA2568fcbf6c7f8d6b17eb1c6726cf204b0361b5598ebcbd43f7d3a50b3ee3a65ae0f
SHA5126b1e606e0ba6f9c35a7fe393cfeb6174619603b0ec35d87b91405b528dafc5b6029b3f8e3e904ddbca2768e15065ccac7a4d18a5f50798bc9df66ddba8a4608b
-
Filesize
718B
MD56519a5e433b15da4a848c335414c7942
SHA1978bc03f58bc0e91b6f9a179fa6d6f842f250bfa
SHA256f30342841f5b56f9bec172ea4f77a5221a52ccbb919a233f2406a690a9228d85
SHA512345f2bb72de0262a4b31a8c070ade3381d29f32ff0d27071d3de1bf859faf0fe055841f1a4426f6322909971550a87c106ec42a06c71bbe97f9de1960296a9be
-
Filesize
718B
MD5c6dcf7c999646ea90eacbb390f583e10
SHA1c5090848bfb0aa5749083855fd583c368a95460a
SHA2563b95cbb846ed51d309c1a27888a45f23f8404995727a8c9b033e51d5a567bbe7
SHA5120be59f57e3f68e565621fb31985837318f68facd719bcd55a24a4ec3fc8635a04daae6b142bb3a1f117b8d519488b763aefd2e0faf67ed1c76027776dd7167c9
-
Filesize
718B
MD5013faa0bf813df9fb49178363827f92e
SHA15fe6b5ff14ca8e3e62a6e94d79f10501cf9de1c5
SHA256d1bed1a1d9af430d1fc3d065d5d1a4b269f23bad1899bbf82ae69610e1737f9a
SHA51202e6cb8bc8f1674105c3a8a08ca3bfca8cb24af3d62732de4a272bf63a720c4ba8cab04c3e1d72aeffaa6ea50bfdb77a475d96d9a97bb5f92926670f12b6eeda
-
Filesize
494B
MD5a5de92cbd714590d45b4f55287bfa881
SHA1a97c28f3fb2efbb18acae5cad5bc2e648ce73a5d
SHA256db5957c7d45d46bc8d23e5f9909034e2ee593cc49deb67e7d11c6681144b0466
SHA512db3d0a7b02e065dc5d74d5d6af3f0d94e1d5211efc442b35936b32e3f18b23217bf9c673290069f378c23f96a190446e2fc3879965c6ffa34fc991ab57d7b934
-
Filesize
718B
MD55abb59989560c2fea91f18d7838068fe
SHA15cd1533fc6dd57551dda3537c22ffd815abd3339
SHA256220e2962ecf7ce53a8851eacb7dd65d2c711e0237abc23ba28b0ddc728a3caa6
SHA51265fcfc7fe30ad2916a76ed595e4edbbac65d49d7811505ea0af6014c005c7fb74925418b20e34bff12a0dbdae0e0f3833a44c2c20ef3e7c31c16508c314c9785
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
718B
MD5f5e58d8e80dee00d174276ec00375efa
SHA1b217de7063451b9a46b494c646ec1fddac32eb6a
SHA256d16e1670aa57c22be8d056eda3e62319e7672f821bdaca8f73fdbfe5302eacc8
SHA5125cfa3404dd974e18159d26776ff3f42f4d05be90a42f5ddad7fd35f3e6033460d214a43b952b0ee85a9f0471f9796f81e26c3883a1f84e48dddcdfc94438a9d4
-
Filesize
718B
MD591de3dfec418c70ae39d6507c9b2ceba
SHA13b52328a9682b572dd1e0d137e33e2fc0689b1b0
SHA25648e382747b2e1dc7a9fa4e72010c718827d10532181d156e296628857e58f222
SHA512d8709e031aa0d0a93ca408878c0095a3ce1de817014f8cc518fb4f974b7ba3f07099f5a6c74921231539e014f79a077b076e24446eb0a93ed30eebe184f73dac
-
Filesize
718B
MD52b6901c2dfeeb0ac8fef18794968e1bd
SHA1babff4bc382a1fdb544770d6218272fd383eb33b
SHA2569705dd0b9cf8fbb392bee8bc26cf1a9cd197f65b389d347efdbf6ba24a279859
SHA512230e6c21ea31d0bca2e1a7b7274c86a381a34fba41a5dcbdc48d1f53e91aff3f6e6785bdde72ba4e4c0195c0480228f5d37f28b77c6872e6feddf103d60117fe
-
Filesize
718B
MD5f5bc2ca43dd4e556b28d96c73574987c
SHA116634219c4311932c4f464fd1604ab8713d75856
SHA256fec3bb781902107ad1d22bb73051b04431c666945f49998097174c8e4f157222
SHA5124ad71e8c9805aa9332df6347ec3b7b50e0613be9227e56eab83591c5c3a2a102bfa6e9334568efe7adf52499a351abb57091792a16cd177a8dc26f981d3f380a
-
Filesize
718B
MD52ce1b2ed44fd64355f48656b60b3fca9
SHA1a790b5038ce9d289f37356819fad5765acdeb9db
SHA256d409324b7b093d461b6549fe661317a5c50ff7492961a48949ec26365ab96d73
SHA5124cf00eb02f774949bc135e4e246eddc863e323a8c0b48c509f3ba620639a3a6fe02b5408269a027c946f039c6d3b7b738aead4720217936d6a1e96a3f39bc6eb
-
Filesize
717B
MD55076cc7c56f86fb6f4d7f84130ffdfd1
SHA1ef5db15598b91f65a2f5366acff769bed881bad5
SHA256fc1afd9b06788cbc931e5c1645693f2ee06a13290321fe984ef25c8bc8ed6877
SHA512f180bb1e7f70f9e04b8b1002b632a250ddb5a610183df81b9c47abbb759808c5d47251ad1cad37ebddcfdd96a89c5b5788428b4fdf04d97b1a52027deb52283c
-
Filesize
2.9MB
MD5990d69ce8a7a58fa44a5071429041ff0
SHA10f2603214e0b81c26a094b7e5fe76b7fa40be4b1
SHA25615da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce
SHA5126197dbd8e964fcc41df771b3defc6e0e2186c93d275bbd9fcc9745298cf3d3631fbfcd21058c2257a8d80f7fe258bcd33d5dbbe23d6b66702297aeeb2edb00dc