Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 07:21
Behavioral task
behavioral1
Sample
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
a2076a85de5c50013fd48e423e2c2050
-
SHA1
4ef4d4fd4cf21287ccb37baa4fc8a4efa31b6bd6
-
SHA256
296ff7111b13564c6bffbc590f46a21188c873f95658d756c22425584453b9b6
-
SHA512
ff45a43830600f097569378af3d957346f2e66bfbf65f5a89ba592c5b90ef0759bf7a587914fb84c3406b6624c2301652ed30440cde9701d18bdf68b46cfa1a3
-
SSDEEP
49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2552 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2552 schtasks.exe -
Processes:
smss.exesmss.exesmss.exesmss.exea2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe -
Processes:
resource yara_rule behavioral1/memory/2224-1-0x0000000000380000-0x0000000000666000-memory.dmp dcrat C:\Program Files\Windows Media Player\fr-FR\System.exe dcrat C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe dcrat C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\RCX584F.tmp dcrat behavioral1/memory/2528-244-0x0000000000830000-0x0000000000B16000-memory.dmp dcrat behavioral1/memory/2404-255-0x00000000009B0000-0x0000000000C96000-memory.dmp dcrat behavioral1/memory/1864-268-0x0000000000BB0000-0x0000000000E96000-memory.dmp dcrat behavioral1/memory/3000-291-0x0000000001100000-0x00000000013E6000-memory.dmp dcrat behavioral1/memory/400-339-0x00000000001E0000-0x00000000004C6000-memory.dmp dcrat behavioral1/memory/2684-352-0x0000000000E90000-0x0000000001176000-memory.dmp dcrat behavioral1/memory/924-366-0x0000000000F50000-0x0000000001236000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 780 powershell.exe 1796 powershell.exe 1616 powershell.exe 1236 powershell.exe 2596 powershell.exe 1808 powershell.exe 2532 powershell.exe 2536 powershell.exe 2640 powershell.exe 2244 powershell.exe 1508 powershell.exe 592 powershell.exe -
Executes dropped EXE 11 IoCs
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exepid process 2528 smss.exe 2404 smss.exe 1864 smss.exe 2536 smss.exe 3000 smss.exe 2108 smss.exe 1388 smss.exe 1592 smss.exe 400 smss.exe 2684 smss.exe 924 smss.exe -
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Drops file in Program Files directory 32 IoCs
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Windows Journal\ja-JP\csrss.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\RCX411C.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\System.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\188888a73639ae a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\42af1c969fbb7b a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files\Windows Journal\ja-JP\886983d96e3d3e a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\RCX3EAB.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Temp\RCX5243.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\Temp\winlogon.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\csrss.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Temp\winlogon.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files\Windows Media Player\fr-FR\System.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\Temp\cc11b995f2a76d a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\b75386f1303e64 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\csrss.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\RCX3C97.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX431F.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\RCX47C3.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\188888a73639ae a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files\Windows Media Player\fr-FR\27d1bcfc3c54e0 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX37C5.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\csrss.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RCX4BCB.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\886983d96e3d3e a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exedescription ioc process File created C:\Windows\Setup\State\System.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Windows\Setup\State\27d1bcfc3c54e0 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Windows\Setup\State\RCX45B0.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Windows\Setup\State\System.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1792 schtasks.exe 2964 schtasks.exe 2480 schtasks.exe 2924 schtasks.exe 1860 schtasks.exe 2848 schtasks.exe 2176 schtasks.exe 1484 schtasks.exe 1512 schtasks.exe 1640 schtasks.exe 2536 schtasks.exe 2748 schtasks.exe 1972 schtasks.exe 2992 schtasks.exe 1236 schtasks.exe 1092 schtasks.exe 2328 schtasks.exe 1644 schtasks.exe 2372 schtasks.exe 2196 schtasks.exe 3056 schtasks.exe 1488 schtasks.exe 2584 schtasks.exe 2688 schtasks.exe 680 schtasks.exe 1620 schtasks.exe 2252 schtasks.exe 2872 schtasks.exe 1372 schtasks.exe 352 schtasks.exe 1552 schtasks.exe 2452 schtasks.exe 2268 schtasks.exe 2888 schtasks.exe 2232 schtasks.exe 2384 schtasks.exe 2908 schtasks.exe 2396 schtasks.exe 2444 schtasks.exe 1196 schtasks.exe 544 schtasks.exe 452 schtasks.exe 2420 schtasks.exe 2008 schtasks.exe 2068 schtasks.exe 1744 schtasks.exe 2280 schtasks.exe 1816 schtasks.exe 2520 schtasks.exe 1992 schtasks.exe 2776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exepid process 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 1796 powershell.exe 2536 powershell.exe 780 powershell.exe 2596 powershell.exe 2244 powershell.exe 2532 powershell.exe 592 powershell.exe 1508 powershell.exe 1236 powershell.exe 1616 powershell.exe 2640 powershell.exe 1808 powershell.exe 2528 smss.exe 2404 smss.exe 1864 smss.exe 2536 smss.exe 3000 smss.exe 2108 smss.exe 1388 smss.exe 1592 smss.exe 400 smss.exe 2684 smss.exe 924 smss.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exedescription pid process Token: SeDebugPrivilege 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 780 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 2528 smss.exe Token: SeDebugPrivilege 2404 smss.exe Token: SeDebugPrivilege 1864 smss.exe Token: SeDebugPrivilege 2536 smss.exe Token: SeDebugPrivilege 3000 smss.exe Token: SeDebugPrivilege 2108 smss.exe Token: SeDebugPrivilege 1388 smss.exe Token: SeDebugPrivilege 1592 smss.exe Token: SeDebugPrivilege 400 smss.exe Token: SeDebugPrivilege 2684 smss.exe Token: SeDebugPrivilege 924 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.execmd.exesmss.exeWScript.exesmss.exeWScript.exesmss.exedescription pid process target process PID 2224 wrote to memory of 2536 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2536 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2536 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 780 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 780 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 780 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1808 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1808 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1808 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2532 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2532 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2532 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2640 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2640 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2640 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1796 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1796 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1796 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 592 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 592 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 592 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1508 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1508 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1508 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2596 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2596 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2596 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1236 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1236 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1236 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1616 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1616 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 1616 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2244 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2244 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2244 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 2224 wrote to memory of 2520 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe cmd.exe PID 2224 wrote to memory of 2520 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe cmd.exe PID 2224 wrote to memory of 2520 2224 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe cmd.exe PID 2520 wrote to memory of 1152 2520 cmd.exe w32tm.exe PID 2520 wrote to memory of 1152 2520 cmd.exe w32tm.exe PID 2520 wrote to memory of 1152 2520 cmd.exe w32tm.exe PID 2520 wrote to memory of 2528 2520 cmd.exe smss.exe PID 2520 wrote to memory of 2528 2520 cmd.exe smss.exe PID 2520 wrote to memory of 2528 2520 cmd.exe smss.exe PID 2528 wrote to memory of 2452 2528 smss.exe WScript.exe PID 2528 wrote to memory of 2452 2528 smss.exe WScript.exe PID 2528 wrote to memory of 2452 2528 smss.exe WScript.exe PID 2528 wrote to memory of 2412 2528 smss.exe WScript.exe PID 2528 wrote to memory of 2412 2528 smss.exe WScript.exe PID 2528 wrote to memory of 2412 2528 smss.exe WScript.exe PID 2452 wrote to memory of 2404 2452 WScript.exe smss.exe PID 2452 wrote to memory of 2404 2452 WScript.exe smss.exe PID 2452 wrote to memory of 2404 2452 WScript.exe smss.exe PID 2404 wrote to memory of 896 2404 smss.exe WScript.exe PID 2404 wrote to memory of 896 2404 smss.exe WScript.exe PID 2404 wrote to memory of 896 2404 smss.exe WScript.exe PID 2404 wrote to memory of 2312 2404 smss.exe WScript.exe PID 2404 wrote to memory of 2312 2404 smss.exe WScript.exe PID 2404 wrote to memory of 2312 2404 smss.exe WScript.exe PID 896 wrote to memory of 1864 896 WScript.exe smss.exe PID 896 wrote to memory of 1864 896 WScript.exe smss.exe PID 896 wrote to memory of 1864 896 WScript.exe smss.exe PID 1864 wrote to memory of 400 1864 smss.exe WScript.exe -
System policy modification 1 TTPs 36 IoCs
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exea2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exesmss.exesmss.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MShxucCbpR.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1152
-
-
C:\Windows\Temp\Crashpad\reports\smss.exe"C:\Windows\Temp\Crashpad\reports\smss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2528 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e91a5fd6-2473-4eca-a721-d82924596864.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\Temp\Crashpad\reports\smss.exeC:\Windows\Temp\Crashpad\reports\smss.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2404 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cfa6f23-718b-4828-abac-e81eb33b7df4.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\Temp\Crashpad\reports\smss.exeC:\Windows\Temp\Crashpad\reports\smss.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1864 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a85b11b-ae36-4e0d-8af0-74e7a0b8cdc1.vbs"8⤵PID:400
-
C:\Windows\Temp\Crashpad\reports\smss.exeC:\Windows\Temp\Crashpad\reports\smss.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2536 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\159c9b7a-7d9e-4917-b6d8-d0de94a4887b.vbs"10⤵PID:1680
-
C:\Windows\Temp\Crashpad\reports\smss.exeC:\Windows\Temp\Crashpad\reports\smss.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36cd1339-fb03-417e-88c1-b7ce3e076bd6.vbs"12⤵PID:1776
-
C:\Windows\Temp\Crashpad\reports\smss.exeC:\Windows\Temp\Crashpad\reports\smss.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\702fd1a4-a25a-46f9-a8f7-827fdfd963c1.vbs"14⤵PID:2832
-
C:\Windows\Temp\Crashpad\reports\smss.exeC:\Windows\Temp\Crashpad\reports\smss.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1388 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac3eef52-dcb0-47b6-b93b-6b0ce8fef44f.vbs"16⤵PID:2888
-
C:\Windows\Temp\Crashpad\reports\smss.exeC:\Windows\Temp\Crashpad\reports\smss.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1592 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d04011-32b2-426d-8a48-641b46039470.vbs"18⤵PID:3064
-
C:\Windows\Temp\Crashpad\reports\smss.exeC:\Windows\Temp\Crashpad\reports\smss.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:400 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc0bcd1c-c277-46ad-8953-792fa00f1e88.vbs"20⤵PID:2712
-
C:\Windows\Temp\Crashpad\reports\smss.exeC:\Windows\Temp\Crashpad\reports\smss.exe21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2684 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e82c0598-8ac0-497f-bd9c-a40132e4e6d2.vbs"22⤵PID:2008
-
C:\Windows\Temp\Crashpad\reports\smss.exeC:\Windows\Temp\Crashpad\reports\smss.exe23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:924 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97ef99bd-616e-49c6-8925-631d1cedea0a.vbs"24⤵PID:1960
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b9f6ce1-b2c4-4ec6-933c-92e52fc2a30f.vbs"24⤵PID:2068
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\186638af-fe8a-4fdd-b116-b3fa00935120.vbs"22⤵PID:2400
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8211f57-0f21-4891-9104-1a773fad3367.vbs"20⤵PID:2528
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a5ff9da-8dc4-438b-a317-0df0e83432a2.vbs"18⤵PID:1324
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba59e1ee-d98e-476c-9de2-12f8bb6ecf03.vbs"16⤵PID:1700
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43dca75c-25d5-49dd-ba83-bac404d2dc93.vbs"14⤵PID:2732
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f9c7e93-d5d9-4998-917a-f7c6a8739f10.vbs"12⤵PID:2900
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93df9a78-56f4-4484-aa93-759f1f36b3d3.vbs"10⤵PID:3056
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b518053a-3d45-4410-9138-4e497851909a.vbs"8⤵PID:1500
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b3add36-0325-42a0-8a49-e1beb1538ef2.vbs"6⤵PID:2312
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6fcfda8-4f11-4d82-901e-45966a26f86f.vbs"4⤵PID:2412
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\reports\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Setup\State\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD561d0b223317fb3d7dd141ca6c81d59b6
SHA145672974018c8d5327ee45ba4377ab9b6b951050
SHA256b130505bbf92ae14b3ad76af1d78a659c5b1f408b9a67a24a3b747200bde5e55
SHA512198f744af2f7d9ee2ac308eee524b2e4fc006723357bde10543e3c8379a9e672d5035279605d9453b5ee5982f6ca01d8e99ae4fbedf518a80f9c35cc7d048a87
-
Filesize
2.9MB
MD5a2076a85de5c50013fd48e423e2c2050
SHA14ef4d4fd4cf21287ccb37baa4fc8a4efa31b6bd6
SHA256296ff7111b13564c6bffbc590f46a21188c873f95658d756c22425584453b9b6
SHA512ff45a43830600f097569378af3d957346f2e66bfbf65f5a89ba592c5b90ef0759bf7a587914fb84c3406b6624c2301652ed30440cde9701d18bdf68b46cfa1a3
-
Filesize
2.9MB
MD5a110f4ee8b628db5cdc780304fadfc44
SHA101a161f4ba0680c1747f35677e51ac6efeeccc5e
SHA25659c05faef7f2418969e5c663f0b55b34f79e8079ec16159c3de814caac76a512
SHA5120ef461ea6b4d4b6df998771e4a3bf64a4523b8efc8fc55604d248355210a05ecfe8eef2a65bfc125fb468b902f36f2ed1a91b3a055ff3ba66ca35a68eeb74990
-
Filesize
717B
MD55f8cffc181f94542aab1d27fb96c3bde
SHA1f78a1f7c5cf343e020275b131fcb91e749cf8dba
SHA25606094dc0795d35bded7024c2cf095b898e7fd375b13313fb881d5720a00ecd59
SHA5124cd460bf74b7d168a8d84c8ca5bcb52a235d2712cbe6a9b6c156164023153a84e0fef30b7fd1743e206de95dbc73a49a8fe0f76449aee7853a19a2a4dd3d478b
-
Filesize
717B
MD564d90f9a8d3a546db27cab0439a393b6
SHA1c07693b1b760e1439f9ebf9403ce9455a08693f1
SHA2565d2a5ab6d065e66c33d1822ec5f6fb7f7530bc6c2c493b8313c04024baa481bb
SHA512696d65c6756b56f941a69a896e2cae5e27cdd4284deafc8a776f66a56d15a75d357acd84f9da6d01ee81cd5d9b257d75e7f2afb18980681a9e664110cf6eac12
-
Filesize
717B
MD551adee7793191370be5544da53291f31
SHA12a182f9d272fb2311a08000be503b9ac3f7cc4e5
SHA256233c9d984be0451f27976ee1dd25cecbd91db4c90d90eac38fe7a4b06061705f
SHA512c2438341c509758d5516cd2a944d90829ca75fff0bfa2adb47bdee973bde3a765889afe45363bf33fecece5448aef6080c71b4e26f83ca1cae8a29d5e5c19d0b
-
Filesize
717B
MD5f16e0b8e9527ce0670c3ed80666179e3
SHA1a6a819e061b0e164a3c6b742664f097e414f80c3
SHA25686ea86ac4bc96f798ae4793e2a0e8ee84e0684740f1375223691d4bbec389de2
SHA512464038cd65dfa456923ee343ca09577857ab7e6d532c098d342c2d5b46388fdfafa26804ddb3abf2dda88f45b69fabf395ffc30bdc03a2f3f402c46010d59a6c
-
Filesize
717B
MD530270276a081b74ac73c597fd2eb6743
SHA13dcc62d850acfd770e6ff5ea43e3280952593b57
SHA2563f17593717c0b234ae3e1d7f51ceaf421bedda8032a0343c17bcbbfb57a1a22a
SHA512bf0d92b6ab8be3f32099f8985955dd1d6b3b29f64794d5463ab16873c8c194c8780fd4d5a1e7e6240c61054362acef133d2009e1d9ffbf16ec8645eb5385052e
-
Filesize
716B
MD5220d1f3d394c91926447bc8d438415cf
SHA13d5b5d01cab4452d274739fe3ea54686b6287d40
SHA2562865316de681772804c8a3e08ba88008d6d00846416a4704da84ec18cd0b797a
SHA5129116ba5d2be4a194edf6a8ebc007e3543991426e4fd11887a242e28c35376e23bd1424f44151369cc9de0f91ad7176abe8d9b76090912f576053ac154eab9610
-
Filesize
717B
MD5a7f22205db3673c28098303b29338059
SHA1322df7c5aa4f95463bd22990a36bd8527bcd64b5
SHA256ec62fa6fd8ec5880da281f7235a82bf4ed6fd495114c6f54cb3178f704b36685
SHA512f52604ccdde57c78eaafa0f01ae64f00f412baf5275379df6b1cf9550a9abb1364818e58a9f7ff8d86637a884635aae94d90e2a03f42c14748df9b54d17cb8a9
-
Filesize
206B
MD5461415bf43e631f91a657904e5c432c8
SHA1ad718da9108a565f9a6cfc48844f52aedbece4a1
SHA256bef3d33ce9078f3709972515229a6f7e110b594c673ec19dfa05ea71721e9294
SHA5120ee0accd239bea0eb94e50236e7b46b169b97d30a544b0afe32772d89d00be064e31ac66977a122651538d054fc99f41e323b25a362b1ea9c6355a67024fdd72
-
Filesize
493B
MD5734ac567be69f7fdb2fa45f00a1965e6
SHA19cd98ac32beef4f8ed29fa91399b02659e5b3f65
SHA256bc4cb7e86d1e85bbc405ae97b86703998afd1873f2c0e31a49f705cdcb50d7bc
SHA5126a52eb08759df061010f1709fcd2a4b92a4df10a99682c26a2e3e1e8b6bc41b47d440ed9482e32b7f125904a07238fc64e049b3ef21a462618b6060f000b5e92
-
Filesize
717B
MD5e59d9a6cb1b018c6d89a9746c41bb117
SHA1a7ff9d9f7b007129aa7dbddb40f3b7dbcc471f04
SHA256752abe117be767786870864c31ff24ffc999d38667c0d2b25c6ce83563c7423d
SHA512f92bd8d1a6347e97cd18be7b0e02cef4340de0e54383481731932e194946026077a1d5e9da7595177cc0a1b5c1dbbd4a3f6e35b57878501045554fd34276f373
-
Filesize
716B
MD5aee8ab1bc64e514c82c0aab56880961a
SHA1df6d315af9698bb13d48201c66a8310a227f40b5
SHA256c79b4a3ae7c15670378ecdb45d1c9bb38d092538c0e42567091cab7f5e8484a9
SHA5121ddc903b5be0db0eb087ad02d0c8c4d7f3a6cc2ed43592a9b8c5cd1902b337bba2c4b3b70b9e4a2da86be32c9a91951b28dc112b6b1d69b7365dbf018a96e285
-
Filesize
2.9MB
MD5f0e9d7dd85333e0d1fe274f674867505
SHA178333b627d35c6cb84c6f1d2187523fda85bd78c
SHA25637a634020e504e5b9f8c66ca1853392d829b3be3378640682710f7b81fc491f1
SHA512efbb8a5389fb22caacecad15a33afe50f9cce2477d346945734f218bddd46827b96099409c193612f3faf963f380ed4dd28d2aa9ea942bef2821f0e8f405ed72
-
Filesize
717B
MD5e367cd0d8f85f7f38138c0ae7cc15acb
SHA1889b33ca4da239ada23a6c54a41a08f400a15a31
SHA2568be69f1fad662a302cffc84dcf3520949c88bdd6ff4dc5d07bbc1392389cc643
SHA5125877d0c4c1b1ccdfe6957d95ec7e84215c2ebeef06ac5782b465114ba419c42afbb36e633aef20c55ba773fe462ff02dadc4ab2352a3c1880b72415b4bbc29c0
-
Filesize
717B
MD5965aed64ec713061e1d2c6c428693a55
SHA1f6d21cf7a6a4f5168602178b633c0c28df593e5e
SHA256637fff82e7a95ded14555e8d548253c925115520e795aca8de3455ac0f00786a
SHA5124b57968675d982ea74bce3a3f7ce43fbfb2a69cff85a7621b5cddf74be2e45c9cbd3d677a854b19e5b4b1183f19e36cc37e3d5ca9132115bc7624dbefd136215
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5166da7ed7589780562ec96ec9e99ad90
SHA10b9799074cb7bf43cbf6a9db5c18f242c4c20381
SHA256233898991307a12f09ee3c81c6456642b0464cd94be2f8dab35b6d6edf0b1ce1
SHA51215d9c803d8ea91f277afde654989d84df20c230f61d97974b05cc2a02906d420cf2be88b8c437b315b0eb16fb4c9b39e9d24b2b233bc4d3781b21d8b3aec235f