Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 19:11
Behavioral task
behavioral1
Sample
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
13479ce2adfeb68235431878761f2bd0
-
SHA1
becd3db1ddb9494d64b2f8f28ca9dcfea5afdbb2
-
SHA256
56eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7
-
SHA512
597d1bb3e5f090bd098bcf52ba37e132175e6c29161ba1e8398875c8de230ceb3efe47f88f435b639a8ec73fd3d0a559df072b0bf4b0b9e934540f58f9615785
-
SSDEEP
24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4352 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5876 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3804 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5608 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5336 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5712 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5472 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5328 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5752 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5448 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 5096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4392 5096 schtasks.exe -
Processes:
Registry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exeRegistry.exeRegistry.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe -
Processes:
resource yara_rule behavioral2/memory/3932-1-0x00000000003D0000-0x000000000050A000-memory.dmp dcrat C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe dcrat C:\Program Files\7-Zip\Lang\RCX4B48.tmp dcrat C:\Recovery\WindowsRE\smss.exe dcrat -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Registry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Registry.exe -
Executes dropped EXE 15 IoCs
Processes:
Registry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exepid process 5744 Registry.exe 1048 Registry.exe 3804 Registry.exe 5740 Registry.exe 4916 Registry.exe 5016 Registry.exe 2236 Registry.exe 3724 Registry.exe 4068 Registry.exe 4836 Registry.exe 6088 Registry.exe 944 Registry.exe 5700 Registry.exe 2664 Registry.exe 3928 Registry.exe -
Processes:
Registry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe -
Drops file in Program Files directory 9 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\Registry.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\ee2ad38f3d4382 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5b884080fd4f94 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX4B48.tmp 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX4D4D.tmp 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files\ModifiableWindowsApps\taskhostw.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\Registry.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe -
Drops file in Windows directory 12 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\debug\RCX40B4.tmp 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Windows\Help\fontdrvhost.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\debug\WmiPrvSE.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\debug\24dbde2999530e 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\de-DE\MusNotification.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\de-DE\aa97147c4c782d 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Windows\debug\WmiPrvSE.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Windows\Help\RCX42B9.tmp 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Windows\de-DE\RCX452B.tmp 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Windows\de-DE\MusNotification.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\Help\fontdrvhost.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\Help\5b884080fd4f94 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4072 schtasks.exe 3648 schtasks.exe 3052 schtasks.exe 1932 schtasks.exe 3128 schtasks.exe 5448 schtasks.exe 4092 schtasks.exe 676 schtasks.exe 2740 schtasks.exe 5336 schtasks.exe 5752 schtasks.exe 4392 schtasks.exe 4144 schtasks.exe 2680 schtasks.exe 1956 schtasks.exe 5876 schtasks.exe 4636 schtasks.exe 3804 schtasks.exe 3720 schtasks.exe 2452 schtasks.exe 3032 schtasks.exe 5608 schtasks.exe 5712 schtasks.exe 5328 schtasks.exe 3808 schtasks.exe 4352 schtasks.exe 4048 schtasks.exe 2560 schtasks.exe 4332 schtasks.exe 5472 schtasks.exe 1056 schtasks.exe 4064 schtasks.exe 2388 schtasks.exe -
Modifies registry class 16 IoCs
Processes:
Registry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exeRegistry.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Registry.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exeRegistry.exepid process 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe 5744 Registry.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exedescription pid process Token: SeDebugPrivilege 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Token: SeDebugPrivilege 5744 Registry.exe Token: SeDebugPrivilege 1048 Registry.exe Token: SeDebugPrivilege 3804 Registry.exe Token: SeDebugPrivilege 5740 Registry.exe Token: SeDebugPrivilege 4916 Registry.exe Token: SeDebugPrivilege 5016 Registry.exe Token: SeDebugPrivilege 2236 Registry.exe Token: SeDebugPrivilege 3724 Registry.exe Token: SeDebugPrivilege 4068 Registry.exe Token: SeDebugPrivilege 4836 Registry.exe Token: SeDebugPrivilege 6088 Registry.exe Token: SeDebugPrivilege 944 Registry.exe Token: SeDebugPrivilege 5700 Registry.exe Token: SeDebugPrivilege 2664 Registry.exe Token: SeDebugPrivilege 3928 Registry.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exeRegistry.exeWScript.exeRegistry.exeWScript.exeRegistry.exeWScript.exeRegistry.exeWScript.exeRegistry.exeWScript.exeRegistry.exeWScript.exeRegistry.exeWScript.exeRegistry.exeWScript.exeRegistry.exeWScript.exeRegistry.exeWScript.exeRegistry.exedescription pid process target process PID 3932 wrote to memory of 5744 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Registry.exe PID 3932 wrote to memory of 5744 3932 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Registry.exe PID 5744 wrote to memory of 1448 5744 Registry.exe WScript.exe PID 5744 wrote to memory of 1448 5744 Registry.exe WScript.exe PID 5744 wrote to memory of 3240 5744 Registry.exe WScript.exe PID 5744 wrote to memory of 3240 5744 Registry.exe WScript.exe PID 1448 wrote to memory of 1048 1448 WScript.exe Registry.exe PID 1448 wrote to memory of 1048 1448 WScript.exe Registry.exe PID 1048 wrote to memory of 3004 1048 Registry.exe WScript.exe PID 1048 wrote to memory of 3004 1048 Registry.exe WScript.exe PID 1048 wrote to memory of 2940 1048 Registry.exe WScript.exe PID 1048 wrote to memory of 2940 1048 Registry.exe WScript.exe PID 3004 wrote to memory of 3804 3004 WScript.exe Registry.exe PID 3004 wrote to memory of 3804 3004 WScript.exe Registry.exe PID 3804 wrote to memory of 4568 3804 Registry.exe WScript.exe PID 3804 wrote to memory of 4568 3804 Registry.exe WScript.exe PID 3804 wrote to memory of 5612 3804 Registry.exe WScript.exe PID 3804 wrote to memory of 5612 3804 Registry.exe WScript.exe PID 4568 wrote to memory of 5740 4568 WScript.exe Registry.exe PID 4568 wrote to memory of 5740 4568 WScript.exe Registry.exe PID 5740 wrote to memory of 768 5740 Registry.exe WScript.exe PID 5740 wrote to memory of 768 5740 Registry.exe WScript.exe PID 5740 wrote to memory of 5132 5740 Registry.exe WScript.exe PID 5740 wrote to memory of 5132 5740 Registry.exe WScript.exe PID 768 wrote to memory of 4916 768 WScript.exe Registry.exe PID 768 wrote to memory of 4916 768 WScript.exe Registry.exe PID 4916 wrote to memory of 5248 4916 Registry.exe WScript.exe PID 4916 wrote to memory of 5248 4916 Registry.exe WScript.exe PID 4916 wrote to memory of 4336 4916 Registry.exe WScript.exe PID 4916 wrote to memory of 4336 4916 Registry.exe WScript.exe PID 5248 wrote to memory of 5016 5248 WScript.exe Registry.exe PID 5248 wrote to memory of 5016 5248 WScript.exe Registry.exe PID 5016 wrote to memory of 1064 5016 Registry.exe WScript.exe PID 5016 wrote to memory of 1064 5016 Registry.exe WScript.exe PID 5016 wrote to memory of 1424 5016 Registry.exe WScript.exe PID 5016 wrote to memory of 1424 5016 Registry.exe WScript.exe PID 1064 wrote to memory of 2236 1064 WScript.exe Registry.exe PID 1064 wrote to memory of 2236 1064 WScript.exe Registry.exe PID 2236 wrote to memory of 5420 2236 Registry.exe WScript.exe PID 2236 wrote to memory of 5420 2236 Registry.exe WScript.exe PID 2236 wrote to memory of 4380 2236 Registry.exe WScript.exe PID 2236 wrote to memory of 4380 2236 Registry.exe WScript.exe PID 5420 wrote to memory of 3724 5420 WScript.exe Registry.exe PID 5420 wrote to memory of 3724 5420 WScript.exe Registry.exe PID 3724 wrote to memory of 4924 3724 Registry.exe WScript.exe PID 3724 wrote to memory of 4924 3724 Registry.exe WScript.exe PID 3724 wrote to memory of 1524 3724 Registry.exe WScript.exe PID 3724 wrote to memory of 1524 3724 Registry.exe WScript.exe PID 4924 wrote to memory of 4068 4924 WScript.exe Registry.exe PID 4924 wrote to memory of 4068 4924 WScript.exe Registry.exe PID 4068 wrote to memory of 3396 4068 Registry.exe WScript.exe PID 4068 wrote to memory of 3396 4068 Registry.exe WScript.exe PID 4068 wrote to memory of 5852 4068 Registry.exe WScript.exe PID 4068 wrote to memory of 5852 4068 Registry.exe WScript.exe PID 3396 wrote to memory of 4836 3396 WScript.exe Registry.exe PID 3396 wrote to memory of 4836 3396 WScript.exe Registry.exe PID 4836 wrote to memory of 6080 4836 Registry.exe WScript.exe PID 4836 wrote to memory of 6080 4836 Registry.exe WScript.exe PID 4836 wrote to memory of 4692 4836 Registry.exe WScript.exe PID 4836 wrote to memory of 4692 4836 Registry.exe WScript.exe PID 6080 wrote to memory of 6088 6080 WScript.exe Registry.exe PID 6080 wrote to memory of 6088 6080 WScript.exe Registry.exe PID 6088 wrote to memory of 792 6088 Registry.exe WScript.exe PID 6088 wrote to memory of 792 6088 Registry.exe WScript.exe -
System policy modification 1 TTPs 48 IoCs
Processes:
Registry.exeRegistry.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Registry.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3932 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5744 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22156452-dd09-45d4-ae18-fd6468af8618.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1048 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edddfa33-8d6c-4487-9834-32ab63455058.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43558a0e-9894-454a-83f2-95e0e533ae46.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5740 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f570ebb3-f735-446a-9597-d206b5e8df81.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4916 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a91b942-8f96-497f-9b95-2f34cf54b281.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:5248 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5016 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ebf0c7d-dfb4-4ce6-acdb-1d47ac45e193.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2236 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\928849f6-b62b-4353-93a4-65195f33776c.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:5420 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3724 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0321a02f-68ac-4324-b0a9-06f3d20bccec.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4068 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d97f5c2-c923-4e22-b4d0-0af6a22d542f.vbs"19⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a52c5b0-c5e6-4d0e-99e9-e3e82331636f.vbs"21⤵
- Suspicious use of WriteProcessMemory
PID:6080 -
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6088 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ce2bb3b-bd5c-4fd7-9b03-934eab621c02.vbs"23⤵PID:792
-
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:944 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\729371c2-3b9d-425f-9ab6-60a8c1336f82.vbs"25⤵PID:1188
-
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5700 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3645f0ef-38bc-4604-ac6b-f46cd364f500.vbs"27⤵PID:5704
-
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e9772b-728d-44fd-8d90-e49a9341260e.vbs"29⤵PID:4472
-
C:\Program Files\7-Zip\Lang\Registry.exe"C:\Program Files\7-Zip\Lang\Registry.exe"30⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\509c55a2-1419-478b-bc45-d46afe969a49.vbs"31⤵PID:2720
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c75efd7-ce06-4b93-b63c-fc329a85f255.vbs"31⤵PID:5740
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4259106-d483-4c9d-80d7-c3bd084f8d2d.vbs"29⤵PID:5092
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8bfe4e5-da60-40d5-aa2f-e3ce31515ea4.vbs"27⤵PID:1080
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93c7d8ad-045c-47cc-b5ac-ca86f6a91077.vbs"25⤵PID:1924
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67ccac60-e583-4dcc-a3d7-6d90ceaaf2b7.vbs"23⤵PID:5300
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77ab77e7-e027-43b3-9f2b-6da20bd1081e.vbs"21⤵PID:4692
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46c99728-7af6-42e6-966e-c0bf7d5d1484.vbs"19⤵PID:5852
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b10cb25-52ef-437e-be81-3147ccd658de.vbs"17⤵PID:1524
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9411737-7236-4cae-983a-8853648e90e0.vbs"15⤵PID:4380
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50e90164-3b1e-4891-b467-f21280e63dea.vbs"13⤵PID:1424
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae57892e-9043-401e-ac3e-00b4cb3d1f59.vbs"11⤵PID:4336
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65147756-6be1-4248-81fb-46a297fef56b.vbs"9⤵PID:5132
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\219e93eb-bc33-4eb7-90fe-9b81c3f339e6.vbs"7⤵PID:5612
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dd23086-0c42-4795-84a1-cc49d687287e.vbs"5⤵PID:2940
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d24feec2-5af4-48d0-91a4-8a0d15778e7a.vbs"3⤵PID:3240
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\debug\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\de-DE\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Templates\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD50d56c034ffddff97cdb77bc7cbf2c386
SHA1b1540f11fcbaa3ba79274ccd6c0ef56db0bb5fe6
SHA2562e1406fb07a07d1e4601044624be0c40e9f884992332deaa36b2845759f86a11
SHA51267fc1da5d777816cc305a93f1553504be4062e843ea760d6103a9c1e611c3ea6c3ba95975577da82c6ae06b353240ab0e0832c717fb45902f425ac8f69a1d1eb
-
Filesize
1.2MB
MD513479ce2adfeb68235431878761f2bd0
SHA1becd3db1ddb9494d64b2f8f28ca9dcfea5afdbb2
SHA25656eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7
SHA512597d1bb3e5f090bd098bcf52ba37e132175e6c29161ba1e8398875c8de230ceb3efe47f88f435b639a8ec73fd3d0a559df072b0bf4b0b9e934540f58f9615785
-
Filesize
1.2MB
MD5f425cb616327e2e8ee96d7de2ac16af9
SHA18963c8363d40a79b61581896f681f1cf8c225135
SHA25628d2ac277953c6b1457c6537f4aa9d8c76ea961989a41bb9e6b76587391bf2a3
SHA51271a3c39c383fa8aa87457b574679b7c92ee5ef1b18468b762c217a566fedbd401eefa850148d381d755eaa83455504561c8103ab9d6cbbe41526089ff4c109ee
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
716B
MD501a51e79ae684e001a089d04884ffa5e
SHA10a86a443ee73bc9179383ca8fa1d893913f13b66
SHA256d338090569224029bf5f3e03d426a6e87da4d14fddbee211da93e912fd0fcc40
SHA512b0c3f3e6a49ce2ce8c35d04085ad12ae49c4389ae27af5dc1c2935e3e3d9cb14fba16f84185a52ccaeca13e58763eb63fc814e96279a94b45538167d9fc69c1d
-
Filesize
716B
MD52e35f11b6044c947f0ddf7bc9711409c
SHA191f5c041fc231970a76e30cde68d010ff9222125
SHA2560c01d844c8cfb3f903430f5aef5ffdebed7674ccfe5dd1236852faca86c26550
SHA512d3afe806f4cb2db0030411596269ba4a8a75432b47414750b059e59540dbdf90db28dd2adf7a504c320e4ca300c8150650aad78f485518d63a5bddf5c40d709a
-
Filesize
716B
MD58982751a52218176daa002eb88424080
SHA1c16a3baeb42db26cadcd156e7b82d027403a3a20
SHA2560b879fddb1f86cac5cc6fcd34b7564e93377cbddae0962613900fe14aee4ccdd
SHA51298456a577bef5a83bf3a743f84131bf2b753af0892aca45643303845ea7f03d7b4b11c490631bd033d8645468d2402c96f0dcde393914766d9d0f0bde78ad23e
-
Filesize
716B
MD5652400cc6edfdd560d4fc763fd0e4d81
SHA13f992b5a5d229684806bd849b4747a8fd4e7b1cb
SHA2566203b62bc53ab5dd1fbb9e811c47572c9f97ac3fddd6f9958704b8a616140c52
SHA5129b057ab61649217bcd11ba55e1db6aa7a8d5a203f198bb8efc23e5341441c7e2efb2d0de70cf49366ae7cc87d94bc35eeef31a477adcadae014585d5fe8432e5
-
Filesize
716B
MD558dac40d92e6313eae55fcd159695f08
SHA1765e56d521f35afe6a2881fce1a218a5d36aec02
SHA256a407a19ce1235c707b207020a354e0db34559da2a0e95e771628b9020668bd28
SHA512e41646a2c97c64d09a2ffa7cd21b28a1af80d2f60e9caeb71d775bef0e625e511a67a80261e1bb041f11ea6d584820785e979a393f4b3a61a44581cc1f44beab
-
Filesize
716B
MD5b9c4385d564c67c968e39a6747084e1f
SHA18ddfcff6d29aadc60c964ad7a1071b4d80ebae1e
SHA256aa09881930a37117fef7945766a73e58a6525bebf55008244f446ee0f71c82c5
SHA512521019a231796d91abadf2217b208f66e74f421de9b31e98227ffa3bb187694d92deffafc360251a68a1ddd19a5ec9a4bb43c5a6159e4c794c54ba28f94af4c3
-
Filesize
716B
MD55fd6ccd9887e70e826cf39c4936ec9f3
SHA13d4112139533c5059e0342a8fc39f24322d31434
SHA2563e2fe0786ed358ce55b4a84de82e46e81d8c0009dab6eb13ef3454f0835a9ecd
SHA5129148e766f738f7bd26f4392a3fea0c8ce62859f673df4c8379cfe8f37ad9090816e9883428ecd67bec3119ba9a38b73966ff906e44770b7669e7897c1587b9be
-
Filesize
716B
MD59e86119d4791c14158270fba7cf15936
SHA19cd55ae642c828af264b1ec5a1136e02f59c243f
SHA2561efc9dd4bd301efd862e5628c7ef329e517aa9abdd12ad38bb09c8f84def008f
SHA512af73b846e172c92824f039909405a4f6b95664086258130c156454a094d1b180cfa9eee50e00824814aa907232b1a5c28d649c93fc26de0fa2e9e4a1112798db
-
Filesize
715B
MD5ea4638002fae4bf0a226cb6899fb7d22
SHA1e6b373554014f46bc4371cd6036e98d0bae76f43
SHA2568d18255a8f9382b18f4c1eab431d38d087e95ba53b70c56e67bae02751ece8fb
SHA512073308f908c9cef4a4178571049f5e1d9784d512aef8c6a001e8b501be4ab456a0a2f50f56215229b7bee011303f460336f316ad06c400b6529e49a65e8858a4
-
Filesize
716B
MD50c96ece2a3123de388aa7a780f9a3343
SHA1ac1e3b29c104dc73b923fc8cb3e19a54c1059b8d
SHA25638230f5f6556a2f4afe87603e8ebe35f86c2dcc48b888f628a0388dbc010fb7a
SHA512d37f4b848a84f4dcc98459e863eea2e6850672d035c6aa9c65438f13f6e58ccf04afd2308db8e08a5340882826e1ebcdc0ef41049eeb5590db75446da77185c6
-
Filesize
716B
MD5f507ac859986d5f5456e43e07a068e35
SHA1fc5d64b99cf4ee0a9fef7c9a56671ffd0156f825
SHA2560e0005eb9586deb9d2d01d036ee77d1f833a7111069290ef81c9293cdfedf4fe
SHA5125b182a20d0a06e7f17b086a397342bf0cd149cb524c4e8d4b5bcee16c2f7e012adf7e6ce9fdc0acc21015c7f5286fbd191368336d9d2b756ba4e7a5020b0529b
-
Filesize
716B
MD510dbc7f4b992508bac22531dcd4f13e5
SHA1f2dd843e38a3a268c6f5a23dc31a35cdaec811af
SHA256c3143a3379ffeed66e3ab5799e9a1a48f8b7f283a44013708c8d0767bb30d7eb
SHA5123c34e902c7a00c04a365b0fdf49067fc2516377407b6f8a9e37bda03a0a655da8c93ea464314a524f7ee6afb04d95ecd797e7e974bb19229fdd3ea342e42e13e
-
Filesize
716B
MD5119517ab7da090549432e131df84b1e0
SHA18554d85852358caadebf6bc29c7cc5b59c20766e
SHA25654f465d19f011be5564724e1731bec8b73cb55f399afabe9305999a462341d90
SHA5126a97e377b47f606af2183c60568fa1cf1aca2a5dcf71902a2d3cefd1948ba89f787a0c9da6fd285bca2dccb16e956095ee6a63357793a586d7611067a95713c4
-
Filesize
492B
MD5ff25befcf4d6ef667a8f8ecace72c6c1
SHA1b7a2c36cb915896f4e374ba9d5eaba607324c523
SHA256dc140f664e2621c79ede06cbb95360408c99e1b5e1c171133fa6367e7ba39970
SHA5125a1dcd1e9792927229adaba5712236dc2092d627b1aa85680b79e17c67016085d1925c970ff9bf19d7c139270eb400099a3bedcc94a987bfa3d19684890076bf
-
Filesize
716B
MD51ec3a8426a9507a20e1d817ed6bbafc2
SHA1e15a167a8eed8694bc9825358d89ebb09f9789af
SHA256f896e57294e463da07a1102f61038d859094d59528f0c246517a1e9465dd8061
SHA512b01ba3e271a7245602b5b4a2d65f176b0e57a64e20f9ea88aee6e1784a036a854282c7e538a7096c1d431f0e8eaf5a606ca19b217865f877437c80d7218de9cd
-
Filesize
716B
MD5ef077794a98c085c5fdfe7e2c4a26301
SHA11bc3a91d82b279ec6fa66cd723fdbed821698d75
SHA25611b2368567921531fa2c3e681e7b160d589246e94c81804f13849756f67d8d4d
SHA5129b6ea9aaf8e690452e3692cb882e305c349a9739f6ca8cd3f590ed38bdb23fcc47678eeea4d84e9e55f6949c903a8fe89cf60514f3970c3ddcc9ebef187114f6