Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 01:15
Behavioral task
behavioral1
Sample
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
5758f08ee8daacd956d144b547105710
-
SHA1
eb9a247be053dc3ffc9986add72c3c95b9a1dcd1
-
SHA256
fc7b46480fd584b41761e56b5a4ac9c99ba65f3f09f5b96fc7379aaf279c7c1c
-
SHA512
2cd545ddc2e51cd5cedcf8040cacf66a0d60bfba4b92635ee7b2343e65808c939cfe961d61a50ebddbbdbc302ccec3db8b0b0a2ab5d4afcfbc2a61344f7d0c24
-
SSDEEP
49152:LbX4Wu2bK/B8fKsJOfivj+8TeCUN0LhZxs2AbBT7VWernS5D+oCPgpifYulI2a:/4W9K/KTag9BUNWS7JnS5qoBifHva
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2412 schtasks.exe -
Processes:
System.exeSystem.exe5758f08ee8daacd956d144b547105710_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe -
Processes:
resource yara_rule behavioral1/memory/3016-1-0x0000000000A40000-0x0000000000D60000-memory.dmp dcrat C:\Program Files\Windows Defender\smss.exe dcrat C:\Windows\PCHEALTH\ERRORREP\RCX49C6.tmp dcrat C:\Windows\ModemLogs\System.exe dcrat behavioral1/memory/1620-222-0x00000000009E0000-0x0000000000D00000-memory.dmp dcrat behavioral1/memory/1712-339-0x0000000000190000-0x00000000004B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2516 powershell.exe 2640 powershell.exe 1956 powershell.exe 2732 powershell.exe 2552 powershell.exe 2724 powershell.exe 2540 powershell.exe 2728 powershell.exe 2720 powershell.exe 2532 powershell.exe 2592 powershell.exe 2036 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
System.exeSystem.exepid process 1620 System.exe 1712 System.exe -
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exeSystem.exeSystem.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in System32 directory 4 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exedescription ioc process File created C:\Windows\SysWOW64\el-GR\taskhost.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\SysWOW64\el-GR\b75386f1303e64 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\el-GR\RCX5242.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\el-GR\taskhost.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe -
Drops file in Program Files directory 16 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX43BA.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\services.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Office14\RCX4BCA.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\smss.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Office14\services.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\RCX41B7.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\smss.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCX503E.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\69ddcba757bf72 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Office14\c5b4cb5e9653cc 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\6ccacd8608530f 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Office14\services.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\services.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe -
Drops file in Windows directory 13 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\ModemLogs\RCX4DCD.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\rescache\wininit.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\debug\WIA\smss.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\ModemLogs\System.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Windows\debug\WIA\smss.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Windows\PCHEALTH\ERRORREP\lsm.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\PCHEALTH\ERRORREP\lsm.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Windows\ModemLogs\System.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Windows\PCHEALTH\ERRORREP\RCX49C6.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\debug\WIA\69ddcba757bf72 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\PCHEALTH\ERRORREP\101b941d020240 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\ModemLogs\27d1bcfc3c54e0 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Windows\debug\WIA\RCX3FB3.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1276 schtasks.exe 552 schtasks.exe 328 schtasks.exe 2744 schtasks.exe 2868 schtasks.exe 780 schtasks.exe 1964 schtasks.exe 2884 schtasks.exe 1792 schtasks.exe 2244 schtasks.exe 2976 schtasks.exe 664 schtasks.exe 576 schtasks.exe 2176 schtasks.exe 1264 schtasks.exe 1416 schtasks.exe 2376 schtasks.exe 1648 schtasks.exe 2880 schtasks.exe 1108 schtasks.exe 1948 schtasks.exe 1932 schtasks.exe 1540 schtasks.exe 1704 schtasks.exe 2484 schtasks.exe 1036 schtasks.exe 1772 schtasks.exe 2248 schtasks.exe 2080 schtasks.exe 2568 schtasks.exe 2512 schtasks.exe 448 schtasks.exe 296 schtasks.exe 536 schtasks.exe 1172 schtasks.exe 1708 schtasks.exe 1580 schtasks.exe 2476 schtasks.exe 2024 schtasks.exe 1384 schtasks.exe 320 schtasks.exe 1340 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exepid process 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 2552 powershell.exe 1956 powershell.exe 2732 powershell.exe 2592 powershell.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 2532 powershell.exe 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 2728 powershell.exe 2724 powershell.exe 2540 powershell.exe 2640 powershell.exe 2036 powershell.exe 2720 powershell.exe 2516 powershell.exe 1620 System.exe 1620 System.exe 1620 System.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exeSystem.exedescription pid process Token: SeDebugPrivilege 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 1620 System.exe Token: SeDebugPrivilege 1712 System.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exeSystem.exeWScript.exedescription pid process target process PID 3016 wrote to memory of 2552 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2552 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2552 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2724 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2724 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2724 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2540 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2540 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2540 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2516 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2516 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2516 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2532 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2532 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2532 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2592 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2592 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2592 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2640 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2640 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2640 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 1956 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 1956 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 1956 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2036 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2036 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2036 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2728 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2728 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2728 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2720 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2720 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2720 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2732 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2732 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 2732 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 3016 wrote to memory of 1620 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe System.exe PID 3016 wrote to memory of 1620 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe System.exe PID 3016 wrote to memory of 1620 3016 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe System.exe PID 1620 wrote to memory of 1800 1620 System.exe WScript.exe PID 1620 wrote to memory of 1800 1620 System.exe WScript.exe PID 1620 wrote to memory of 1800 1620 System.exe WScript.exe PID 1620 wrote to memory of 1952 1620 System.exe WScript.exe PID 1620 wrote to memory of 1952 1620 System.exe WScript.exe PID 1620 wrote to memory of 1952 1620 System.exe WScript.exe PID 1800 wrote to memory of 1712 1800 WScript.exe System.exe PID 1800 wrote to memory of 1712 1800 WScript.exe System.exe PID 1800 wrote to memory of 1712 1800 WScript.exe System.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
System.exeSystem.exe5758f08ee8daacd956d144b547105710_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\ModemLogs\System.exe"C:\Windows\ModemLogs\System.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\340a0a56-b735-4c5d-b379-8db6c9fdba90.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\ModemLogs\System.exeC:\Windows\ModemLogs\System.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1712
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\506c1e97-20ce-4a81-be97-8dfcc95d232e.vbs"3⤵PID:1952
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\el-GR\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\el-GR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\el-GR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD55758f08ee8daacd956d144b547105710
SHA1eb9a247be053dc3ffc9986add72c3c95b9a1dcd1
SHA256fc7b46480fd584b41761e56b5a4ac9c99ba65f3f09f5b96fc7379aaf279c7c1c
SHA5122cd545ddc2e51cd5cedcf8040cacf66a0d60bfba4b92635ee7b2343e65808c939cfe961d61a50ebddbbdbc302ccec3db8b0b0a2ab5d4afcfbc2a61344f7d0c24
-
Filesize
707B
MD5c488c2273ca32e8270ff525e2af93b7a
SHA1d84a2ffeee6ab16794777edfab95b8b32dabd89e
SHA25667413a746cea8d534dde0f8061f3b343cd861203a098da82cacb1527994cab69
SHA51268634a738c5d92f10ad63e35824b47e04caecd57dd9227edd9fe0e2710a2f86e456383f00b16fe5b1dc86f00dc3752fd69025784c0d35c30d683fcfb47eab773
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD518c548fe8639b71ede6b439e9e5efd6b
SHA10ce5be64c0e5cb90354d9388eafc89b0ddcfea52
SHA25623dc834e172defa19253b1d7b5f4e1393d5e5306df2409ea9438ecf14a24b8e2
SHA51248c10a288de4303a455290709b75ce8cea046d9bb787b8b68e85e168a0d25e3373f761506b6d394ad4454a0c352c15be715e9f0851357205990ef9a25e0b1185
-
Filesize
3.1MB
MD5104e7e067afb7f5685b9cf68c96cea34
SHA14884afc31acc1ec73553f397fda159b1ec4ee459
SHA2563ae5584ada9307d62a457833cb148b6eff67ec80ade17d9cb2d2c30a891e5751
SHA512c3cc37e6115740219cc4e10d5beef4664ded8e3df620d523fe9205d2dc30acf794f85259791cd033ca635ce89afc974f29f8030c2ef82b6ec7bb317f5d5f7895
-
Filesize
3.1MB
MD566fba1d1be32d45520cc5a9771c17372
SHA13ba9307a4d52961f66e3d8587d632960a2325249
SHA256b1c8559283f385a523772a5ef5fc147cb5c66636fdb604f09096e8d2b7c61805
SHA512ab00ac8cc6e83c09bc3a87b7aa1faa59f24761c00fd9e5d00efdb162e0d28c70eecb6adcd4b9e1876004bf7f4a60023dabcaa6b19ad3dd8ef0d59d5de94a8d77