Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 09:07
Behavioral task
behavioral1
Sample
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
b6c83df257a00210c12b42d28a5df730
-
SHA1
67a993a3c4547e8442f767575dafdbfe018ec0e4
-
SHA256
8fdd38ee81442567732265fa944a19a51a26ec1254e8d2a54e41d254a52a35d6
-
SHA512
1c0bdbae29e9761260b3f9284d41be1b63c921399e7e1822c5c725d9811bea555b64fd311ab8e86634b36fdfa381e686fe087b480de9cf958a4f944556f5f60c
-
SSDEEP
49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2804 schtasks.exe -
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Processes:
resource yara_rule behavioral1/memory/1700-1-0x0000000001220000-0x000000000155C000-memory.dmp dcrat C:\Program Files\Windows Journal\it-IT\dllhost.exe dcrat C:\Program Files\Microsoft Office\Office14\1033\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe dcrat behavioral1/memory/1012-244-0x00000000012F0000-0x000000000162C000-memory.dmp dcrat behavioral1/memory/2792-289-0x0000000000390000-0x00000000006CC000-memory.dmp dcrat behavioral1/memory/2564-302-0x0000000000350000-0x000000000068C000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 876 powershell.exe 2964 powershell.exe 1968 powershell.exe 1568 powershell.exe 1756 powershell.exe 1516 powershell.exe 2124 powershell.exe 2972 powershell.exe 1740 powershell.exe 1600 powershell.exe 1724 powershell.exe 1228 powershell.exe -
Executes dropped EXE 6 IoCs
Processes:
dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exepid process 1012 dwm.exe 2968 dwm.exe 1988 dwm.exe 2488 dwm.exe 2792 dwm.exe 2564 dwm.exe -
Processes:
dwm.exedwm.exedwm.exedwm.exeb6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exedwm.exedwm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Drops file in Program Files directory 20 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\RCX38D0.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\RCX38D1.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCX24D1.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCX24D2.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Journal\it-IT\dllhost.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Office14\1033\2d1d3ae651f38d b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCX2FD3.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCX3041.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\sppsvc.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files\Windows Journal\it-IT\5940a34987c991 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\6cb0b6c459d5d3 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\sppsvc.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Journal\it-IT\RCX2DCE.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Journal\it-IT\RCX2DCF.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files\Windows Journal\it-IT\dllhost.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Office14\1033\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\0a1fd5f707cd16 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exedescription ioc process File created C:\Windows\L2Schemas\886983d96e3d3e b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\RCX2958.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\RCX2959.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\csrss.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Windows\L2Schemas\csrss.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2504 schtasks.exe 2524 schtasks.exe 2284 schtasks.exe 2760 schtasks.exe 620 schtasks.exe 3052 schtasks.exe 2476 schtasks.exe 2592 schtasks.exe 2864 schtasks.exe 1832 schtasks.exe 3000 schtasks.exe 2040 schtasks.exe 1628 schtasks.exe 2680 schtasks.exe 1792 schtasks.exe 1504 schtasks.exe 2768 schtasks.exe 1304 schtasks.exe 2520 schtasks.exe 2608 schtasks.exe 1604 schtasks.exe 2868 schtasks.exe 2664 schtasks.exe 2884 schtasks.exe 1624 schtasks.exe 820 schtasks.exe 2828 schtasks.exe 2836 schtasks.exe 2676 schtasks.exe 2088 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exepid process 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 1600 powershell.exe 2124 powershell.exe 1228 powershell.exe 2964 powershell.exe 1516 powershell.exe 2972 powershell.exe 1740 powershell.exe 1968 powershell.exe 1756 powershell.exe 1724 powershell.exe 876 powershell.exe 1568 powershell.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe 1012 dwm.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription pid process Token: SeDebugPrivilege 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 1228 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 1012 dwm.exe Token: SeDebugPrivilege 2968 dwm.exe Token: SeDebugPrivilege 1988 dwm.exe Token: SeDebugPrivilege 2488 dwm.exe Token: SeDebugPrivilege 2792 dwm.exe Token: SeDebugPrivilege 2564 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.execmd.exedwm.exeWScript.exedwm.exeWScript.exedwm.exedescription pid process target process PID 1700 wrote to memory of 1756 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1756 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1756 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 876 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 876 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 876 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1516 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1516 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1516 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 2964 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 2964 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 2964 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 2124 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 2124 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 2124 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 2972 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 2972 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 2972 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1968 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1968 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1968 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1740 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1740 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1740 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1600 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1600 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1600 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1724 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1724 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1724 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1568 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1568 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1568 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1228 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1228 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 1228 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 1700 wrote to memory of 2516 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe cmd.exe PID 1700 wrote to memory of 2516 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe cmd.exe PID 1700 wrote to memory of 2516 1700 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe cmd.exe PID 2516 wrote to memory of 2508 2516 cmd.exe w32tm.exe PID 2516 wrote to memory of 2508 2516 cmd.exe w32tm.exe PID 2516 wrote to memory of 2508 2516 cmd.exe w32tm.exe PID 2516 wrote to memory of 1012 2516 cmd.exe dwm.exe PID 2516 wrote to memory of 1012 2516 cmd.exe dwm.exe PID 2516 wrote to memory of 1012 2516 cmd.exe dwm.exe PID 1012 wrote to memory of 1848 1012 dwm.exe WScript.exe PID 1012 wrote to memory of 1848 1012 dwm.exe WScript.exe PID 1012 wrote to memory of 1848 1012 dwm.exe WScript.exe PID 1012 wrote to memory of 1116 1012 dwm.exe WScript.exe PID 1012 wrote to memory of 1116 1012 dwm.exe WScript.exe PID 1012 wrote to memory of 1116 1012 dwm.exe WScript.exe PID 1848 wrote to memory of 2968 1848 WScript.exe dwm.exe PID 1848 wrote to memory of 2968 1848 WScript.exe dwm.exe PID 1848 wrote to memory of 2968 1848 WScript.exe dwm.exe PID 2968 wrote to memory of 1812 2968 dwm.exe WScript.exe PID 2968 wrote to memory of 1812 2968 dwm.exe WScript.exe PID 2968 wrote to memory of 1812 2968 dwm.exe WScript.exe PID 2968 wrote to memory of 2264 2968 dwm.exe WScript.exe PID 2968 wrote to memory of 2264 2968 dwm.exe WScript.exe PID 2968 wrote to memory of 2264 2968 dwm.exe WScript.exe PID 1812 wrote to memory of 1988 1812 WScript.exe dwm.exe PID 1812 wrote to memory of 1988 1812 WScript.exe dwm.exe PID 1812 wrote to memory of 1988 1812 WScript.exe dwm.exe PID 1988 wrote to memory of 1608 1988 dwm.exe WScript.exe -
System policy modification 1 TTPs 21 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVarqRTQ45.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2508
-
-
C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4b0421b-1aa8-4c6c-8adc-57522200d294.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2968 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31f6a87d-1896-4471-93fa-f47f584bed63.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79fbe3e9-56e5-45ac-b2e3-6bca4d45cff6.vbs"8⤵PID:1608
-
C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2488 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f877131-0027-4967-a8cf-2ffa3e904e5e.vbs"10⤵PID:484
-
C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2792 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e84f8ea0-bcfc-420a-8ed1-d2bcd045a5b9.vbs"12⤵PID:912
-
C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aa08017-455a-48f9-b645-2870aa3e95e9.vbs"14⤵PID:292
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b7bd833-3897-412e-b601-45bda62f7bb0.vbs"14⤵PID:2632
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3119429-7f84-4723-a0d1-472412eabcd4.vbs"12⤵PID:1864
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b53184b2-7422-4245-934b-96e353e0e4bd.vbs"10⤵PID:2748
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\096f9734-7ec3-4806-ae02-a4ab743584e9.vbs"8⤵PID:1488
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57b04c4d-e206-4b97-9ae0-eec4520ac19b.vbs"6⤵PID:2264
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f91d1f7-c2ed-485e-b20d-a034420d14fb.vbs"4⤵PID:1116
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b6c83df257a00210c12b42d28a5df730_NeikiAnalyticsb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b6c83df257a00210c12b42d28a5df730_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b6c83df257a00210c12b42d28a5df730_NeikiAnalyticsb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5b83d495524afaba4069f73827665617a
SHA154d24f9f7b3c71c43e0e27d348b09dff8be072da
SHA25673f641a0c43a965879117f540d6a3de0f83be85b833445954ec2aca042ca841e
SHA5129c02a9c829d55488de2ac93457f74d4ce3e43c15eda78fe2c28da2ce2a16ce84f195919661f7c1e12a1bb87b88621c281d15858d0ff44ee80e7593ae8f57661e
-
Filesize
3.2MB
MD5b6c83df257a00210c12b42d28a5df730
SHA167a993a3c4547e8442f767575dafdbfe018ec0e4
SHA2568fdd38ee81442567732265fa944a19a51a26ec1254e8d2a54e41d254a52a35d6
SHA5121c0bdbae29e9761260b3f9284d41be1b63c921399e7e1822c5c725d9811bea555b64fd311ab8e86634b36fdfa381e686fe087b480de9cf958a4f944556f5f60c
-
Filesize
724B
MD5a8bc338bc86b292749cadc8b10d79d38
SHA1da91c6b7fa4c6ad89eb2164a959c64e56d928a51
SHA2568c4a43ede643ea4264b444827188862feff6c37c9b2278c5b7b3506e557c38e1
SHA5128b44fc5fe565b629d727265400167d471b2413f45207431bc2e378f88b0cfc551b0291d4b18f5948e4c9bbb2feb70f933376ca9c7fc7354f0812b63fb50f116b
-
Filesize
500B
MD55943e0752bc50c519b3b688358524b72
SHA170dd2ebc0df1d96f8ff0250eab820f86b0ec2ed6
SHA25629ef4a72fb827b67a165c0d7830a708d3ff8a573967707845be7abc9f92ca89f
SHA5128e1b089ffb1dd357cc2a3abd1402b77e869b64a022724d05bcf03c95591a096466613cc14304aaa54554a762f50acb0f79cc0b9a15d860a52958604fccdc8c84
-
Filesize
724B
MD519549353c9a833b678423ee7de9cad78
SHA175b7032352435c26c7c79e749265e84f9d784a89
SHA25616b10abc03fe7ed46efd26fbe1c6dd967bd4fa763126d1855db6395d7b34b0f8
SHA512107eea5964c94bcb819e3a971d946a66890fbd219b8d9ee0ecaea2fbfe240da2fce142fef678907b705ccd19ec6e90e7002a2953758a83d18916a3d57654f376
-
Filesize
724B
MD564a44442f0f8a083a0d7e3ea794822da
SHA1ae9e769d8002262b256281f9b6c716f7a2c5729b
SHA2567170e0136ed1aa35d22ffe77c35660296aaa2512b4fc1351e54b7cf5672f36c9
SHA51258c45fab83457bac52f5ad9d560272cb38cd373359774281ca20d152e195b1daf91a92a2a0bc868771113ae69054b7fca62bfd47465fd20d71e9ffe872c6e868
-
Filesize
724B
MD5298d08eea689b2a37ef703be94ee1d02
SHA1e515245dad0a2ad545b7ddc6d1bc9ecc64aeed8d
SHA2565b45a00ba13b28fc9567bc196a8d488e9c70daf65ebc430611f8cd9b029723f5
SHA5126163574d605620dab82ca60de332c68f8753bd342bd7e0c14d7616011642ae7b2b347f8a8146497bc038f707bf14f6e4b9e7a77c68f28ae6e692ff2f7bbbe130
-
Filesize
213B
MD5ac39b30155fb4d45eef50be7767db55b
SHA1ccae52105587fd046c301996feed2bbb3a845514
SHA256f0e9a174abffaf359b15bfcbf3366cb975f8acb810b3048bb81d141956a3bafe
SHA5122bacf846c7c49df72d511e3a403cbb2c046886be3e1b37f10a26dbbe2123be782fd9df7b5cf8ea128778c5d308f2352f12c4aca5be5cb6c91efc9d4f2f205fbc
-
Filesize
724B
MD54f4f0158c5abfc99f5362d9976feeeb5
SHA127e6b267e6e8402b3d5e3d4e883c5c691e6de765
SHA2568924b1df4d8f1bd0f49b55840a505a4a5c0cff95e1d733e0aa86d2a5a3cab9ed
SHA512ecf370ddd1e7ffede84ce5a38b084c1526c745d3eaa314c9e1df889b869ab90f3cfda62edd16e729e3cb14e3b17bdc392b15a9b44bfb6252580b6a8ca1d875d1
-
Filesize
724B
MD5b5291912c0fc36a867cc1d7d47ca0dff
SHA145fa4547b6e5f5b96cdfb46be0d135016d5c94a7
SHA256400c361aec0b81dc2f844d0171f596d6f21bf008776055eaaec24d0ac278902e
SHA512c5064816c424db5e9e13e0dc98461ee13c1c61530bc5c28b9a5abc9aa14458181ac0d3d50f1f6e4b498cf2325cd6304c2560f1f23372777e675d6920d7c85a18
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ab216a272380859af03c080eebca5599
SHA1650d55ddb2a50b58ec030483b75211b1305f8210
SHA256affd99b1069177f1b4021f40e2b6de39e7ef1ecda16f397ff4e5a04c36c817fd
SHA512632636b5ca538b4155d4eb40d60c9ae48d3ce98f8c4462e85a20059ebbb4d303ca3836a56af0da0ea39ab5882265d250a6b0cfd31665e3ae857e122945a5ca67