Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 12:22
Behavioral task
behavioral1
Sample
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
c63f74bf817cee682824dd46e4ce6f20
-
SHA1
99e866bcfca39a4273f13795799d1f4d3bd06641
-
SHA256
8b4a898c3d88a3e0cafea621e85a524fb74786d20ea94ac29c042506e91474da
-
SHA512
aaeebb5f2ca208d1b89da51e0baa412a1275cb5d809636556dbbd861e0720bd903a6e844c583334a2c267f51885465d32da62a2096bf49c8422d7e8fa87f1ee7
-
SSDEEP
49152:yH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:yHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\SearchApp.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\fontdrvhost.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\fontdrvhost.exe\", \"C:\\Users\\Public\\Music\\upfc.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\fontdrvhost.exe\", \"C:\\Users\\Public\\Music\\upfc.exe\", \"C:\\Users\\Public\\AccountPictures\\services.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe -
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3524 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3724 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3812 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 64 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 4196 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 4196 schtasks.exe -
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exeRegistry.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe -
Processes:
resource yara_rule behavioral2/memory/940-1-0x00000000008C0000-0x0000000000B80000-memory.dmp dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
Registry.exepid process 2332 Registry.exe -
Adds Run key to start application 2 TTPs 22 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Sun\\Java\\Deployment\\fontdrvhost.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Sun\\Java\\Deployment\\fontdrvhost.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Performance\\WinSAT\\Registry.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\L2Schemas\\SearchApp.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Public\\Music\\upfc.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\bcastdvr\\dllhost.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\AccountPictures\\services.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Performance\\WinSAT\\Registry.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\L2Schemas\\SearchApp.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\AccountPictures\\services.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\bcastdvr\\dllhost.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Public\\Music\\upfc.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe -
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exeRegistry.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe -
Drops file in Program Files directory 13 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription ioc process File created C:\Program Files\WindowsApps\fontdrvhost.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\en-US\5940a34987c991 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea1d8f6d871115 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX5AA8.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX5CFB.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\RCX6171.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe -
Drops file in Windows directory 16 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription ioc process File created C:\Windows\L2Schemas\38384e6a620884 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\RCX5F6D.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Windows\Performance\WinSAT\Registry.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Windows\L2Schemas\SearchApp.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Windows\Sun\Java\Deployment\fontdrvhost.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Windows\bcastdvr\dllhost.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\SearchApp.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Windows\Sun\Java\Deployment\RCX63F3.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Windows\Sun\Java\Deployment\fontdrvhost.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Windows\Performance\WinSAT\Registry.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Windows\bcastdvr\dllhost.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Windows\bcastdvr\5940a34987c991 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Windows\Performance\WinSAT\RCX5005.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Windows\bcastdvr\RCX542E.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Windows\Performance\WinSAT\ee2ad38f3d4382 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Windows\Sun\Java\Deployment\5b884080fd4f94 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2160 schtasks.exe 4072 schtasks.exe 4084 schtasks.exe 4856 schtasks.exe 4736 schtasks.exe 64 schtasks.exe 4472 schtasks.exe 1792 schtasks.exe 4496 schtasks.exe 3568 schtasks.exe 3524 schtasks.exe 3964 schtasks.exe 1344 schtasks.exe 8 schtasks.exe 892 schtasks.exe 3724 schtasks.exe 448 schtasks.exe 4140 schtasks.exe 2212 schtasks.exe 2000 schtasks.exe 2332 schtasks.exe 2828 schtasks.exe 2104 schtasks.exe 3684 schtasks.exe 3540 schtasks.exe 5028 schtasks.exe 3252 schtasks.exe 2636 schtasks.exe 2704 schtasks.exe 4124 schtasks.exe 4548 schtasks.exe 4436 schtasks.exe 4272 schtasks.exe 952 schtasks.exe 840 schtasks.exe 3812 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exepowershell.exeRegistry.exepid process 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 888 powershell.exe 888 powershell.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe 2332 Registry.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exepowershell.exeRegistry.exedescription pid process Token: SeDebugPrivilege 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 2332 Registry.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.execmd.exedescription pid process target process PID 940 wrote to memory of 888 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe powershell.exe PID 940 wrote to memory of 888 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe powershell.exe PID 940 wrote to memory of 4704 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe cmd.exe PID 940 wrote to memory of 4704 940 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe cmd.exe PID 4704 wrote to memory of 3360 4704 cmd.exe w32tm.exe PID 4704 wrote to memory of 3360 4704 cmd.exe w32tm.exe PID 4704 wrote to memory of 2332 4704 cmd.exe Registry.exe PID 4704 wrote to memory of 2332 4704 cmd.exe Registry.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
Registry.exec63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6UXRAQMNZZ.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3360
-
-
C:\Windows\Performance\WinSAT\Registry.exe"C:\Windows\Performance\WinSAT\Registry.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2332
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Music\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5d5baab26ae15834ba3052bb01795d754
SHA1a78b1ab5afbdcdaa568b03ef38713423acbdc8d4
SHA256c71b8dbef4a28c306c4217d570ca32bfc0a18b5d1180889ea46323eecddfe551
SHA512c7612dc866acff8f31ede2f4a1dbea6c97cc3b15f259a0c5b90a8aed26098806429351d37de5fba0ae5f1a5d6e787a96aeb71b3d00f927b770f0c785673579db
-
Filesize
2.7MB
MD5c63f74bf817cee682824dd46e4ce6f20
SHA199e866bcfca39a4273f13795799d1f4d3bd06641
SHA2568b4a898c3d88a3e0cafea621e85a524fb74786d20ea94ac29c042506e91474da
SHA512aaeebb5f2ca208d1b89da51e0baa412a1275cb5d809636556dbbd861e0720bd903a6e844c583334a2c267f51885465d32da62a2096bf49c8422d7e8fa87f1ee7
-
Filesize
207B
MD57b2a9413aa466d4e1e7f42f13903b327
SHA1aa6bb5abb9f9267069245bd64664f3f1f2609fab
SHA256ade218a15f6c46ee24ebbf565f2c2e38ad77b1395b7cf1b8f63630d94cbc208f
SHA512520942ff6dea181e1d177b50b482d00205b3b475a4469848e3b6ccec6dd951beb4f4a0a896c24b19f14a1a72cf51fa24bfd397a68e1220c203bf6aecba81d5d3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82