Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 05:55
Behavioral task
behavioral1
Sample
9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
9053e1e0f0dc79857427f7ef64fa3530
-
SHA1
93298ff5140f6ba9724e31dda271148cd73c7511
-
SHA256
5e18fece13e186284ad707df63c1d44b117dbffd5da5b814ebf1a68647679c5b
-
SHA512
9bbcb60546639f4b995a817978c4f3331933fbf7dd409c2b1d06c84aeef1b437cd8e750abdf8dccafb558f5d68fe2f98f42feaeb01ccbee8934147f575cf5657
-
SSDEEP
49152:/C0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:/C0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3740 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 1936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 1936 schtasks.exe -
Processes:
dwm.exedwm.exe9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Processes:
resource yara_rule behavioral2/memory/1376-1-0x0000000000DA0000-0x00000000010DC000-memory.dmp dcrat C:\Users\Public\backgroundTaskHost.exe dcrat C:\Windows\Sun\Java\Deployment\csrss.exe dcrat C:\Users\Public\backgroundTaskHost.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4044 powershell.exe 4832 powershell.exe 3808 powershell.exe 2172 powershell.exe 4736 powershell.exe 608 powershell.exe 4884 powershell.exe 1184 powershell.exe 2836 powershell.exe 2448 powershell.exe 1468 powershell.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation dwm.exe -
Executes dropped EXE 7 IoCs
Processes:
dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exepid process 3540 dwm.exe 4460 dwm.exe 2424 dwm.exe 5068 dwm.exe 424 dwm.exe 1476 dwm.exe 1724 dwm.exe -
Processes:
dwm.exe9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Drops file in Program Files directory 5 IoCs
Processes:
9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exedescription ioc process File created C:\Program Files\WindowsPowerShell\Modules\dwm.exe 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\dwm.exe 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe File created C:\Program Files\WindowsPowerShell\Modules\6cb0b6c459d5d3 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\RCX5B32.tmp 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\RCX5B33.tmp 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exedescription ioc process File created C:\Windows\Sun\Java\Deployment\886983d96e3d3e 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe File opened for modification C:\Windows\Sun\Java\Deployment\RCX5F5C.tmp 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe File opened for modification C:\Windows\Sun\Java\Deployment\RCX5FDA.tmp 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe File opened for modification C:\Windows\Sun\Java\Deployment\csrss.exe 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe File created C:\Windows\Sun\Java\Deployment\csrss.exe 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4512 schtasks.exe 4588 schtasks.exe 4652 schtasks.exe 1664 schtasks.exe 3740 schtasks.exe 748 schtasks.exe 4608 schtasks.exe 544 schtasks.exe 4468 schtasks.exe 2732 schtasks.exe 1972 schtasks.exe 4892 schtasks.exe 4976 schtasks.exe 4404 schtasks.exe 2644 schtasks.exe -
Modifies registry class 8 IoCs
Processes:
dwm.exedwm.exedwm.exe9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exepid process 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe 1468 powershell.exe 1468 powershell.exe 4832 powershell.exe 4832 powershell.exe 2172 powershell.exe 2172 powershell.exe 2836 powershell.exe 2836 powershell.exe 1184 powershell.exe 1184 powershell.exe 4884 powershell.exe 4884 powershell.exe 4736 powershell.exe 4736 powershell.exe 4044 powershell.exe 4044 powershell.exe 3808 powershell.exe 3808 powershell.exe 2448 powershell.exe 2448 powershell.exe 608 powershell.exe 608 powershell.exe 4884 powershell.exe 2448 powershell.exe 2836 powershell.exe 1468 powershell.exe 2172 powershell.exe 4832 powershell.exe 4736 powershell.exe 4044 powershell.exe 3808 powershell.exe 1184 powershell.exe 608 powershell.exe 3540 dwm.exe 3540 dwm.exe 3540 dwm.exe 3540 dwm.exe 3540 dwm.exe 3540 dwm.exe 3540 dwm.exe 3540 dwm.exe 3540 dwm.exe 3540 dwm.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription pid process Token: SeDebugPrivilege 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe Token: SeDebugPrivilege 1468 powershell.exe Token: SeDebugPrivilege 4832 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 4884 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 4044 powershell.exe Token: SeDebugPrivilege 3808 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 3540 dwm.exe Token: SeDebugPrivilege 4460 dwm.exe Token: SeDebugPrivilege 2424 dwm.exe Token: SeDebugPrivilege 5068 dwm.exe Token: SeDebugPrivilege 424 dwm.exe Token: SeDebugPrivilege 1476 dwm.exe Token: SeDebugPrivilege 1724 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.execmd.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedescription pid process target process PID 1376 wrote to memory of 3808 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 3808 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 4832 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 4832 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 4044 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 4044 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 4884 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 4884 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 608 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 608 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 1468 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 1468 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 2448 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 2448 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 2836 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 2836 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 1184 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 1184 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 4736 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 4736 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 2172 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 2172 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe powershell.exe PID 1376 wrote to memory of 5084 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe cmd.exe PID 1376 wrote to memory of 5084 1376 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe cmd.exe PID 5084 wrote to memory of 3900 5084 cmd.exe w32tm.exe PID 5084 wrote to memory of 3900 5084 cmd.exe w32tm.exe PID 5084 wrote to memory of 3540 5084 cmd.exe dwm.exe PID 5084 wrote to memory of 3540 5084 cmd.exe dwm.exe PID 3540 wrote to memory of 1988 3540 dwm.exe WScript.exe PID 3540 wrote to memory of 1988 3540 dwm.exe WScript.exe PID 3540 wrote to memory of 4780 3540 dwm.exe WScript.exe PID 3540 wrote to memory of 4780 3540 dwm.exe WScript.exe PID 1988 wrote to memory of 4460 1988 WScript.exe dwm.exe PID 1988 wrote to memory of 4460 1988 WScript.exe dwm.exe PID 4460 wrote to memory of 4356 4460 dwm.exe WScript.exe PID 4460 wrote to memory of 4356 4460 dwm.exe WScript.exe PID 4460 wrote to memory of 1052 4460 dwm.exe WScript.exe PID 4460 wrote to memory of 1052 4460 dwm.exe WScript.exe PID 4356 wrote to memory of 2424 4356 WScript.exe dwm.exe PID 4356 wrote to memory of 2424 4356 WScript.exe dwm.exe PID 2424 wrote to memory of 3740 2424 dwm.exe WScript.exe PID 2424 wrote to memory of 3740 2424 dwm.exe WScript.exe PID 2424 wrote to memory of 2448 2424 dwm.exe WScript.exe PID 2424 wrote to memory of 2448 2424 dwm.exe WScript.exe PID 3740 wrote to memory of 5068 3740 WScript.exe dwm.exe PID 3740 wrote to memory of 5068 3740 WScript.exe dwm.exe PID 5068 wrote to memory of 4628 5068 dwm.exe WScript.exe PID 5068 wrote to memory of 4628 5068 dwm.exe WScript.exe PID 5068 wrote to memory of 752 5068 dwm.exe WScript.exe PID 5068 wrote to memory of 752 5068 dwm.exe WScript.exe PID 4628 wrote to memory of 424 4628 WScript.exe dwm.exe PID 4628 wrote to memory of 424 4628 WScript.exe dwm.exe PID 424 wrote to memory of 4472 424 dwm.exe WScript.exe PID 424 wrote to memory of 4472 424 dwm.exe WScript.exe PID 424 wrote to memory of 4000 424 dwm.exe WScript.exe PID 424 wrote to memory of 4000 424 dwm.exe WScript.exe PID 4472 wrote to memory of 1476 4472 WScript.exe dwm.exe PID 4472 wrote to memory of 1476 4472 WScript.exe dwm.exe PID 1476 wrote to memory of 3040 1476 dwm.exe WScript.exe PID 1476 wrote to memory of 3040 1476 dwm.exe WScript.exe PID 1476 wrote to memory of 4464 1476 dwm.exe WScript.exe PID 1476 wrote to memory of 4464 1476 dwm.exe WScript.exe PID 3040 wrote to memory of 1724 3040 WScript.exe dwm.exe PID 3040 wrote to memory of 1724 3040 WScript.exe dwm.exe -
System policy modification 1 TTPs 24 IoCs
Processes:
dwm.exedwm.exedwm.exedwm.exe9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exedwm.exedwm.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m147yiIR6h.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3900
-
-
C:\Program Files\WindowsPowerShell\Modules\dwm.exe"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3540 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7fd8752-89d6-4448-8864-7c6d7045c7d5.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Program Files\WindowsPowerShell\Modules\dwm.exe"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\592e7e33-f2df-47c9-9801-ccf9282b1397.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Program Files\WindowsPowerShell\Modules\dwm.exe"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\937f4753-aa2a-4fc2-9a58-fd4eb9f790e6.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Program Files\WindowsPowerShell\Modules\dwm.exe"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5068 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1206b3d4-8717-4578-8f5b-aa3423e1cac0.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Program Files\WindowsPowerShell\Modules\dwm.exe"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7197520a-4f41-40b3-b808-c13c64840f09.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Program Files\WindowsPowerShell\Modules\dwm.exe"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1476 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\729a664b-a9de-488d-9df4-6937727967b5.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files\WindowsPowerShell\Modules\dwm.exe"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1724 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70378bee-d86b-4fd6-a505-27d597c32a17.vbs"16⤵PID:3292
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e40eb784-9f3f-4fd9-992c-a2a05b4f8bd0.vbs"16⤵PID:4296
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d8b9cc-326d-47e3-83a2-c2a0235b53c6.vbs"14⤵PID:4464
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4010bdd-1af1-46ab-b6db-933d54956e73.vbs"12⤵PID:4000
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abe0f827-f4aa-4aa5-9115-dff9fc0f0c92.vbs"10⤵PID:752
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\564346af-8872-4f9a-9087-4bb03a14c8c5.vbs"8⤵PID:2448
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f88d8242-e00c-4d97-9157-1bf4d49c4e05.vbs"6⤵PID:1052
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9877992c-a2b3-444f-aedb-cb4a50dd59bb.vbs"4⤵PID:4780
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
726B
MD51ce417bf070fa03c3ad94720dac8c1a0
SHA1812f9f9b4f267d23b5bb8f6cdf9f5c302469e4f3
SHA25632e9036a6d24c90b022a6d2ff3b45df50fda070ade4b3cf08392791ee85bfdd6
SHA5120b9894570e7c5fc09714a47ee8ffe003bf2ed4612ca3470b87f65812204d8b440449a3d0f38227319be2fa21f5993ff2e12858f25704fb80b541cfe5bad118f2
-
Filesize
726B
MD571ec42d4b4aec18cc266246c8e0caccf
SHA1535ebca33fc025dd9bdf013a91b29b1358fc43f0
SHA256614264d8c644795cd12d8ee13eddf1a7e8fd87a515f0f7978e1ace39576656ba
SHA512507e0b3306e095d5e61ee75d493589c93ed7c0bbb8f0ac22b38db407e56c7cb4691fe3a059fe8707c82e0f9f2725522053297c76d5b731d840676d1479acc051
-
Filesize
726B
MD58609acdee9a2eb5672d54fcef62d59a6
SHA19474a1aab3eca1e161ee4282b364f0642f1624f1
SHA2566d7b32dd1798cda3ea22141d2cc3f852315b06ed63dad26187ebf463eafc9921
SHA5128ddbb38efcdf8ac5bbeb11aba91c52b65a0aceaf8acd8c138b5c614a23a594ae0f07ca2c804d8824b03b2b6d3a2d0b0888f0532bffe5f45a31ff0e193032fbab
-
Filesize
725B
MD5a24992b745863be63aafc63cbaa92a0a
SHA11575579fff8c470d16d5746400f82dcfcac06dee
SHA256ca5c468a6a1568be2d4060b2dec99f0e654a7bf7367c262795e8ca903e824498
SHA5129719daa1522e51e4a4f5ea8a6f9c77b47328ee2c4dd7e2b279f398b9a1c479f584c3e544227ad4960be2d5e89b6c292afba328c8133b8dff154853073f1f09c1
-
Filesize
726B
MD5dfd00aa7b7f5367e5389241a76569963
SHA14489baf1c07fef754282d994690e1be9fe07969e
SHA256221149faba8aca81146d2ef336890957eab99d47fb3caf20276d2e575a3a0c92
SHA5129b00c7d6c7e4d61448d07c009132f838c121c08207da913b4bd8ae526575658aed424fb65723eaf6981104bfd2742b253dca46650d8766bf8f06f8b48632b315
-
Filesize
726B
MD513f41cb4280c82e227fedbf01153696d
SHA1fec6995c10ef46f4202614aebfca26ce5be99653
SHA256c9b39b009158cde362c26218bbc67c6646c23773d79b5c859986de1bcd122017
SHA51299dc4d7a7e99386ee5fe3691c4e4782b8a467b2dfbed8a352b029f18d3fce5629ecc1bc70fbe017571060753f2baef1384d8f8d7f4586986fb927579095550ab
-
Filesize
502B
MD551e4701212e749bc1229319ca50148c2
SHA1356b560a2dae989354759234404681a23cfdc299
SHA256e49de2ba26f710d97ecbd343ea775f90e981ef7d1ef1e7016a04608d85c6b839
SHA512d8387fcd4e037993a6c9a05a5bedaa4d97cd710928efb86f6bcaeed1aeee639d7daae67d43e52a4a4c72ebaf5bc6ed9ce350d00b127ffc1de19114714dcb3c9f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
726B
MD5d1fa70fc4202823d3726f8cba1f44117
SHA10ecc67a972a17bac55268bcf810729dee9ac9213
SHA256e4e1fb86706ee252a2d5e722abf03962b32b306e47cb450532ad62a471cff5c8
SHA5124e8d3f977216e34d5c4c53ce577a04c97ef02b38bd420488051b483e32f6265f9da3023d6b678891b4aedaa308734054baeee1d51070cefb5db6ec1c2366e9c0
-
Filesize
215B
MD509b8411ba466040f0a065eb6d98e0be0
SHA1c98300c16d20b5ee0f7d7290d004ebf61f65177b
SHA2565738b4823fef6d05561068072a1bad26b9dc3f5570b086fbcbc0920f171f3756
SHA5121af230a4adcde6102bf0a79a000f6a2f3d126fe9b836d33286a560e9678669fd242a4c2c5d48cdf262a0dc420ae22f7a3657b908ad3960f2cac03a127cb3498b
-
Filesize
3.2MB
MD59053e1e0f0dc79857427f7ef64fa3530
SHA193298ff5140f6ba9724e31dda271148cd73c7511
SHA2565e18fece13e186284ad707df63c1d44b117dbffd5da5b814ebf1a68647679c5b
SHA5129bbcb60546639f4b995a817978c4f3331933fbf7dd409c2b1d06c84aeef1b437cd8e750abdf8dccafb558f5d68fe2f98f42feaeb01ccbee8934147f575cf5657
-
Filesize
3.2MB
MD5a51a454388eeb9a95270a31ad6546ab7
SHA138d98cc56621361c308be94b0eb0cc57126cca40
SHA2561da7b4de76527f3399f153cef1a74196f60cfc5f79314d7b66f0af2e4f0ee721
SHA5124fb2c8b697b59c371054f1c1065e306c07ef3d2fecb7c20bf8ee6184fe6d99da29199722964c22f1711c2fa9b28dae08aed498883d4046cbcd28c41e924b493f
-
Filesize
3.2MB
MD55db8c33266adeb678c51b9d076bb7b94
SHA13f5aeb36a3332ee9921f2c08802433f4144e9ac7
SHA2565930f06bbd50ed3c90c39d186758521d062ce5f45bde52c31f62b62c88e26cf7
SHA5121194e23793a8faf0acab2af83c73599ffb992af9942e7655f10543fa2ca1526e604e9910fa0db7922670a8dd75f7c658fd1fdb9128c426d1219377bfd23cb767