Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 19:23
Behavioral task
behavioral1
Sample
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
1553f67a0859a3057cde01f77db9dbc0
-
SHA1
2cfe40d1fea16093e16c96a35f3240b98da9a5e1
-
SHA256
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152
-
SHA512
4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5
-
SSDEEP
49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4408 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 708 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4948 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 244 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 116 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4352 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3104 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 1004 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3080 1004 schtasks.exe -
Processes:
dwm.exedwm.exedwm.exe1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Processes:
resource yara_rule behavioral2/memory/228-1-0x0000000000380000-0x00000000006BC000-memory.dmp dcrat C:\Windows\es-ES\fontdrvhost.exe dcrat C:\Windows\es-ES\fontdrvhost.exe dcrat C:\Recovery\WindowsRE\explorer.exe dcrat C:\Program Files (x86)\Windows Photo Viewer\wininit.exe dcrat C:\Program Files\dotnet\RCX716D.tmp dcrat C:\ProgramData\Microsoft\Windows\Start Menu\dwm.exe dcrat C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe dcrat C:\Users\Admin\Music\TextInputHost.exe dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat behavioral2/memory/4684-447-0x0000000000F60000-0x000000000129C000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2424 powershell.exe 1212 powershell.exe 2572 powershell.exe 4544 powershell.exe 3716 powershell.exe 1744 powershell.exe 2508 powershell.exe 4856 powershell.exe 396 powershell.exe 3948 powershell.exe 3372 powershell.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe -
Executes dropped EXE 7 IoCs
Processes:
dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exepid process 4684 dwm.exe 3264 dwm.exe 3416 dwm.exe 5056 dwm.exe 1512 dwm.exe 744 dwm.exe 3712 dwm.exe -
Processes:
dwm.exe1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe -
Drops file in Program Files directory 35 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Photo Viewer\lsass.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCX6F58.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\smss.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\Adobe\66fc9ff0ee96c2 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX6AC1.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX6D54.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\6203df4a6bafc7 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\wininit.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\RCX5C5D.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX60C5.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX6CD6.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\0a1fd5f707cd16 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files\Windows NT\TableTextService\en-US\886983d96e3d3e 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\RCX5C4D.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\RCX7899.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\RCX781B.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\dllhost.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\5940a34987c991 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\Adobe\sihost.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX60D6.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX6AC0.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\dllhost.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\RCX716D.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\RCX717E.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\lsass.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\wininit.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\sihost.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\56085415360792 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files\dotnet\smss.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files\dotnet\69ddcba757bf72 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCX6F59.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe -
Drops file in Windows directory 15 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedescription ioc process File created C:\Windows\es-ES\fontdrvhost.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Windows\es-ES\5b884080fd4f94 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Windows\ShellExperiences\6203df4a6bafc7 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\es-ES\fontdrvhost.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\Downloaded Program Files\RCX7B1B.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Windows\ShellExperiences\lsass.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\Downloaded Program Files\RCX7A9D.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Windows\Downloaded Program Files\55b276f4edf653 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\es-ES\RCX630A.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\es-ES\RCX6388.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellExperiences\RCX682E.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellExperiences\RCX682F.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellExperiences\lsass.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4948 schtasks.exe 1212 schtasks.exe 3656 schtasks.exe 2216 schtasks.exe 3916 schtasks.exe 1816 schtasks.exe 4708 schtasks.exe 3712 schtasks.exe 3080 schtasks.exe 4848 schtasks.exe 1220 schtasks.exe 3684 schtasks.exe 4988 schtasks.exe 1800 schtasks.exe 4408 schtasks.exe 2832 schtasks.exe 4804 schtasks.exe 1744 schtasks.exe 1288 schtasks.exe 3744 schtasks.exe 1912 schtasks.exe 2508 schtasks.exe 4856 schtasks.exe 1068 schtasks.exe 3780 schtasks.exe 3612 schtasks.exe 1312 schtasks.exe 3104 schtasks.exe 2816 schtasks.exe 4688 schtasks.exe 4692 schtasks.exe 4352 schtasks.exe 1124 schtasks.exe 1552 schtasks.exe 4380 schtasks.exe 3372 schtasks.exe 2276 schtasks.exe 440 schtasks.exe 3288 schtasks.exe 4360 schtasks.exe 3640 schtasks.exe 1100 schtasks.exe 708 schtasks.exe 3100 schtasks.exe 244 schtasks.exe 1116 schtasks.exe 3112 schtasks.exe 1580 schtasks.exe 968 schtasks.exe 5000 schtasks.exe 2348 schtasks.exe 744 schtasks.exe 1064 schtasks.exe 116 schtasks.exe -
Modifies registry class 8 IoCs
Processes:
dwm.exedwm.exedwm.exedwm.exe1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedwm.exedwm.exedwm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exepid process 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription pid process Token: SeDebugPrivilege 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Token: SeDebugPrivilege 3948 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 3372 powershell.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 3716 powershell.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 4684 dwm.exe Token: SeDebugPrivilege 3264 dwm.exe Token: SeDebugPrivilege 3416 dwm.exe Token: SeDebugPrivilege 5056 dwm.exe Token: SeDebugPrivilege 1512 dwm.exe Token: SeDebugPrivilege 744 dwm.exe Token: SeDebugPrivilege 3712 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedwm.exedescription pid process target process PID 228 wrote to memory of 1212 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 1212 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 2572 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 2572 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 4544 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 4544 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 2508 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 2508 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 4856 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 4856 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 3716 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 3716 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 396 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 396 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 1744 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 1744 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 3948 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 3948 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 3372 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 3372 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 2424 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 2424 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 228 wrote to memory of 4684 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe dwm.exe PID 228 wrote to memory of 4684 228 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe dwm.exe PID 4684 wrote to memory of 768 4684 dwm.exe WScript.exe PID 4684 wrote to memory of 768 4684 dwm.exe WScript.exe PID 4684 wrote to memory of 4424 4684 dwm.exe WScript.exe PID 4684 wrote to memory of 4424 4684 dwm.exe WScript.exe PID 768 wrote to memory of 3264 768 WScript.exe dwm.exe PID 768 wrote to memory of 3264 768 WScript.exe dwm.exe PID 3264 wrote to memory of 4148 3264 dwm.exe WScript.exe PID 3264 wrote to memory of 4148 3264 dwm.exe WScript.exe PID 3264 wrote to memory of 2140 3264 dwm.exe WScript.exe PID 3264 wrote to memory of 2140 3264 dwm.exe WScript.exe PID 4148 wrote to memory of 3416 4148 WScript.exe dwm.exe PID 4148 wrote to memory of 3416 4148 WScript.exe dwm.exe PID 3416 wrote to memory of 3424 3416 dwm.exe WScript.exe PID 3416 wrote to memory of 3424 3416 dwm.exe WScript.exe PID 3416 wrote to memory of 3124 3416 dwm.exe WScript.exe PID 3416 wrote to memory of 3124 3416 dwm.exe WScript.exe PID 3424 wrote to memory of 5056 3424 WScript.exe dwm.exe PID 3424 wrote to memory of 5056 3424 WScript.exe dwm.exe PID 5056 wrote to memory of 2076 5056 dwm.exe WScript.exe PID 5056 wrote to memory of 2076 5056 dwm.exe WScript.exe PID 5056 wrote to memory of 2196 5056 dwm.exe WScript.exe PID 5056 wrote to memory of 2196 5056 dwm.exe WScript.exe PID 2076 wrote to memory of 1512 2076 WScript.exe dwm.exe PID 2076 wrote to memory of 1512 2076 WScript.exe dwm.exe PID 1512 wrote to memory of 2956 1512 dwm.exe WScript.exe PID 1512 wrote to memory of 2956 1512 dwm.exe WScript.exe PID 1512 wrote to memory of 1212 1512 dwm.exe WScript.exe PID 1512 wrote to memory of 1212 1512 dwm.exe WScript.exe PID 2956 wrote to memory of 744 2956 WScript.exe dwm.exe PID 2956 wrote to memory of 744 2956 WScript.exe dwm.exe PID 744 wrote to memory of 5004 744 dwm.exe WScript.exe PID 744 wrote to memory of 5004 744 dwm.exe WScript.exe PID 744 wrote to memory of 4848 744 dwm.exe WScript.exe PID 744 wrote to memory of 4848 744 dwm.exe WScript.exe PID 5004 wrote to memory of 3712 5004 WScript.exe dwm.exe PID 5004 wrote to memory of 3712 5004 WScript.exe dwm.exe PID 3712 wrote to memory of 4768 3712 dwm.exe WScript.exe PID 3712 wrote to memory of 4768 3712 dwm.exe WScript.exe PID 3712 wrote to memory of 4004 3712 dwm.exe WScript.exe PID 3712 wrote to memory of 4004 3712 dwm.exe WScript.exe -
System policy modification 1 TTPs 24 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:228 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Users\All Users\Start Menu\dwm.exe"C:\Users\All Users\Start Menu\dwm.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4684 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab7e06f9-2cc8-4039-a499-49e52af85ad2.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\All Users\Start Menu\dwm.exe"C:\Users\All Users\Start Menu\dwm.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3264 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81c5646d-102c-46e0-92fd-129b90595df8.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\All Users\Start Menu\dwm.exe"C:\Users\All Users\Start Menu\dwm.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3416 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6fc0a39-883a-46ff-a6d3-d13ba2e70843.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\All Users\Start Menu\dwm.exe"C:\Users\All Users\Start Menu\dwm.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b745de3f-71bb-43d1-b5ee-dbf9a731a082.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\All Users\Start Menu\dwm.exe"C:\Users\All Users\Start Menu\dwm.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1512 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\963ae9cf-215a-4c39-9f8a-a4cbef438161.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\All Users\Start Menu\dwm.exe"C:\Users\All Users\Start Menu\dwm.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:744 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b32fa960-2f85-4070-ba3e-49aa4a739b40.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\All Users\Start Menu\dwm.exe"C:\Users\All Users\Start Menu\dwm.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91ca450c-7cd1-4794-aa05-82bfcf12046a.vbs"15⤵PID:4768
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcdffa1d-bcbd-4b73-8a64-cced2c4b1fe6.vbs"15⤵PID:4004
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\811ad167-1cf8-4192-bfe4-82bbbbc5e7d3.vbs"13⤵PID:4848
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6740a6cb-9ad3-4f11-9b0c-c00dfa9ff0d3.vbs"11⤵PID:1212
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fd181d3-d663-466c-8a85-35734ecdd0bb.vbs"9⤵PID:2196
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d351468d-da31-44c7-b7e8-b5ac0aa20c65.vbs"7⤵PID:3124
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35541dda-7271-4b45-900f-b19f5a04cf83.vbs"5⤵PID:2140
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eda212e0-b707-4135-b3ca-d394da60635d.vbs"3⤵PID:4424
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\dotnet\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Music\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5a3a56880e371bb4b5ff3f4e28791b5a5
SHA1ccfe35536a1b3c8c5f73bd14dce0c44b19ba34ce
SHA2562591daab5ada3d5417b33d7ba183edd7b29ee6b71bcb8617427d9d45f317357c
SHA5124b4527e62a9ae19fc12fc5307ad5767bb1bb5216dc9dff07e56a801d3a0ae7c3235f68e6d60d7055698d07dc3a9c6496d6ad1bb9ff7a09dfbb2682211be17c70
-
Filesize
3.2MB
MD53d1fc8efc678bfb40a5f49845c25a3cb
SHA1256a956945e7e21ae94980e02a68a367c27d6134
SHA2561e17e7d23ffbbe052329b2938d5dace678d66ee4e1c2c2677534806bc728b056
SHA512fc2e8df616e30c2c118b8932c6f4df7986ea808bfe7d913171aacf1f3a63f3e27ae859dda061e78b83102be866ce48ad8f473ede10d4e3714be7fd05badfaa7c
-
Filesize
3.2MB
MD5b0c249b693a72c5ff1a062672062d7e3
SHA1e33a8e952d7f4c47248f3e14f7f21f7b9f404d9b
SHA2566d4eb0464a83df85cc2658a6ddf86dde7ee67b59b07040d30b826b9ab93fde8d
SHA512e3ec6b3a1380dfada3e6ccaaa2f94ba1206a048d6be7efcba5504e8625826e0ed607e02f13a29668ae1d6615cddd9a7ba2c7ad2392cc871a414843db3dabafeb
-
Filesize
3.2MB
MD5be05449cab989bfd4746a79de768ea0a
SHA1b9a6621f50cf0bd585018234cbd88dfd08b6a4da
SHA256bf6e2194e5eb468002440144ea8ad581afae778463d67cc6867172e292fc1747
SHA5121016d56e8df32853b0de263b09bce6320e1819cf107404d3c7aecee6f811647685bc075b2a3b5881f5454b7e39d2e57bda1056ad4c2b235c3d5d72bfa2b9a1ce
-
Filesize
3.2MB
MD5084a5938ce77b9383a43d5379c773a31
SHA134b37f96202f81e8a34421020421290f0d1d61ff
SHA256e493068c68472f3fbaf14f1d126c4861805f5e1cbf1356279ca283ca72177b9d
SHA512f52ea959e51b7a7df7f7be23578c1b201ea1e4e7b9fdd9227a3883c03e9aa0ff7e2b4d2ae160255f794c840e116d93a1fcfd7c12b37b013f837d087ee9151bae
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
713B
MD558ff086d9185ed49d907dfa2329c7e53
SHA1cb96a0f2b0e64f809ee2280693bfae97951eb9da
SHA25627a499a98412e23bd5af60a23f811345624f1792260cea6d52396c3fbde5e445
SHA512557e64d84945932a8bcf66b987a85860dea266530a3f4ea47fa1138a63398d28ed4b2c93c6fc5242ce6aa6d7c8419d24f64de7a9186b6e231b33dbf7f609829b
-
Filesize
713B
MD591eea95cbd4125a4ea37ca783dfaba38
SHA11187f86cde141001c90ef65e8825f3b1290ba2c2
SHA256f3d30d622c637e2985867991769586f04ed3ad5fa654787c472386e0ee0d9aff
SHA512ffd55a8489efbe2e421b5aac6effa8e0c0657651cdf836a1a76f5f7dd158588c23adb7de14abbe56938a9cbc9f6763e75362236faf7288b4d1147efb4be6ce1d
-
Filesize
713B
MD5c3ef35037db52b01840dc65f1f38b852
SHA1dc1a6e69aa1f86bb382be023f87cfbbf59a77f6f
SHA256fd24fba1f2bc5cd470366e2bdd82aee1fe142c06f58a00ed225ecaa2a61a60e0
SHA512d319440cd8f96b6e2b34a2472bcb931da38190ceeadbeb4f67d7f1a128e3035bc72db4ae9e4483d247d6974b6b9beb20f5c416e469c74845ba4899344f177098
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
713B
MD50ed4f3a9a6b10c4f85784d37a2bc67a7
SHA13ec384dc0bcb02992cc08cf1e954e8368e5c310a
SHA2562c60ca22b4a11a9cc66974e26c118db4f4d3f1b0ff6cbe105d18f37ece1fdc03
SHA51224d073ab3a6aa04849576132893d1edf3993f859016e7a2f2799182c3886c3307b2fb027079b5356f97b21e60ad8de0cd99044fcec2b0c85bd3188daf6366558
-
Filesize
712B
MD5da22ef041ddd10f6a1eb192fe043f6d6
SHA1e2a545963ddacd4110aca18baf8ee7809e11a5c2
SHA2561e1e760b96b1ae647201282d6da5acc90d86e178608fb5f50b4f3120bc390d5f
SHA512ca34ec316621c7ef93b763e47590f017ba006c488d32a34b61b6d547c3bf723a6352bca4eb81f040461528e74e55e960e04aebe96291a1b36c8be64303298d54
-
Filesize
713B
MD59aef344306ee1207ba6a76cf00c8118d
SHA10f49cbe52a8c6b04f70b50d0d9916069cc9f04e1
SHA256638758f4c84b3b1a273f7a90ca0d783d4a6c342ba7bbcf48e910b845757dd4ab
SHA512fff981c1dd7b50ca52726971a8fe507b50acec7979f74ff6ccef18905d0fdb4bd4cd464c1c0691770c536d2fcbea230476fe96fd56be00c60bf4cea987d7deee
-
Filesize
713B
MD5c2b953e70b591e02c4a3c23152d20549
SHA134cc29faccb0afd53aeebe09a04505c25a93848a
SHA2560b641dbc5cad5a9a30f32184468c76cfd245091fbe40007eed29d5813083cdd6
SHA51284364453dc77f2f333491f59fb424b12bdb73603c5cf05c9e772ea1128dad3f72c6baf8a441208652be66f7419538c0c1ea678d81ee8557bed9aea04ed006e33
-
Filesize
489B
MD5fca860c1322f605db549053e7f9f8eb2
SHA1ca1f6b73c44bffb2e1850011f6e17b1ea79365d1
SHA256cc5005df06a46cb34012e5e3f100e9019ca6006007b1939e5b969a75413a5107
SHA5123184e3eb2ffcc8a5acdc7bff847c8ec041bbd1be69753ccdb55ec7a292371625d97ef29b6f6e969f452239e59088cd421e994482090b2818b3c179b1ac683106
-
Filesize
3.2MB
MD5630af483ee3b5912b48f536e87e36bbe
SHA19c41f8263dfa41bc59bcfdc94c4b8a9fe9b501f5
SHA256c9d2dfbe883bc0e8e928b007ffbcbad20be8184f864cbf042dfd654b5531be18
SHA5127ecb991bc5e12136aea5fc5502b9b5f46cfc4828d45fb435f95c63abb2e3a77c9a86c34a3007bc3b90a7749a58dca8813ae49b74ccb2bd5a2797bd00e6c6b6a0
-
Filesize
3.2MB
MD589f6cd1f773d3a1ead6be3afb295c88d
SHA1ba44492cc4ca4a7b9299929f51ced2c1a8e63dc9
SHA256ac2240e7b5af0107e910c06c8d1335cc3b81473f038e99e813f9adb63349d7c1
SHA5127fe1399398abfa5cb58caf07001957951ac7f5db8fe2129d8e0d617066955b5608f962569604607ae9279f145a71deca4de72dd617b4ad79b2223c58c139169b
-
Filesize
3.2MB
MD51553f67a0859a3057cde01f77db9dbc0
SHA12cfe40d1fea16093e16c96a35f3240b98da9a5e1
SHA256a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152
SHA5124ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5
-
Filesize
3.2MB
MD5b1377edb5c7395d31186330b4fd7d765
SHA1b62990a719b9d21207199b75289bdf33b538698e
SHA2569298f57897b97818653f7924436abb4830f7d44845eb0206dd4cc09878940752
SHA512ec727ed321f020368a39e036eb244a247b4e6ae0ecaead1f40b9d514da72db7c7ef6db09c3b455c1234eff0adb6d5232e1af7e0eb3a76823319455d2420efcc3