Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 14:32
Behavioral task
behavioral1
Sample
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
d67c083b7f55c40deae2ac79549d0a70
-
SHA1
c47be45497fe044d732a847a21b7b2be0172c8c5
-
SHA256
ba381b7847ed129aa068cee625f78d7a8ec511a55d55feb86e22159ab43b6357
-
SHA512
2fb0a24efd4e6349cc1f0f4193ac1b512dcb679478b65f51fb967b6c736192eb0e161e7020756e4a9ce03f89aae7789bac5ce57c0968ee60b095a25654511d6d
-
SSDEEP
49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2564 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2564 schtasks.exe -
Processes:
dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exed67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Processes:
resource yara_rule behavioral1/memory/2356-1-0x00000000013C0000-0x00000000016FC000-memory.dmp dcrat C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe dcrat C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe dcrat C:\MSOCache\All Users\audiodg.exe dcrat C:\Users\Default\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe dcrat C:\Windows\Logs\dwm.exe dcrat C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe dcrat behavioral1/memory/1564-215-0x00000000009F0000-0x0000000000D2C000-memory.dmp dcrat behavioral1/memory/1464-227-0x0000000000F90000-0x00000000012CC000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\f45c816abc36ba74a05acc781878969903929c42.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1792 powershell.exe 616 powershell.exe 688 powershell.exe 1636 powershell.exe 1672 powershell.exe 1544 powershell.exe 1916 powershell.exe 1872 powershell.exe 936 powershell.exe 2360 powershell.exe 2052 powershell.exe 1904 powershell.exe -
Executes dropped EXE 6 IoCs
Processes:
dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exepid process 1564 dwm.exe 1464 dwm.exe 2964 dwm.exe 356 dwm.exe 1568 dwm.exe 2424 dwm.exe -
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Drops file in Program Files directory 15 IoCs
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\RCX1F85.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\RCX2D94.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\886983d96e3d3e d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\6cb0b6c459d5d3 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\27d1bcfc3c54e0 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\RCX1F17.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\RCX28A0.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\RCX290F.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\RCX2D95.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exedescription ioc process File created C:\Windows\Logs\dwm.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Windows\Logs\6cb0b6c459d5d3 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Logs\RCX2B12.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Logs\RCX2B81.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Logs\dwm.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 816 schtasks.exe 1604 schtasks.exe 1240 schtasks.exe 2572 schtasks.exe 2012 schtasks.exe 2488 schtasks.exe 1752 schtasks.exe 2032 schtasks.exe 2732 schtasks.exe 2396 schtasks.exe 2952 schtasks.exe 2948 schtasks.exe 2692 schtasks.exe 2820 schtasks.exe 2584 schtasks.exe 2192 schtasks.exe 2432 schtasks.exe 2716 schtasks.exe 1964 schtasks.exe 2976 schtasks.exe 2972 schtasks.exe 2936 schtasks.exe 2772 schtasks.exe 2388 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exepid process 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2052 powershell.exe 1792 powershell.exe 1904 powershell.exe 936 powershell.exe 616 powershell.exe 1672 powershell.exe 1872 powershell.exe 1636 powershell.exe 688 powershell.exe 1544 powershell.exe 2360 powershell.exe 1916 powershell.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe 1564 dwm.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription pid process Token: SeDebugPrivilege 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 616 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 1872 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 1564 dwm.exe Token: SeDebugPrivilege 1464 dwm.exe Token: SeDebugPrivilege 2964 dwm.exe Token: SeDebugPrivilege 356 dwm.exe Token: SeDebugPrivilege 1568 dwm.exe Token: SeDebugPrivilege 2424 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.execmd.exedwm.exeWScript.exedwm.exeWScript.exedwm.exedescription pid process target process PID 2356 wrote to memory of 1544 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1544 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1544 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1792 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1792 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1792 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1904 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1904 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1904 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1672 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1672 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1672 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1916 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1916 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1916 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1872 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1872 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1872 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 936 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 936 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 936 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 2052 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 2052 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 2052 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 616 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 616 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 616 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1636 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1636 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1636 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 688 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 688 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 688 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 2360 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 2360 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 2360 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 2356 wrote to memory of 1532 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe cmd.exe PID 2356 wrote to memory of 1532 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe cmd.exe PID 2356 wrote to memory of 1532 2356 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe cmd.exe PID 1532 wrote to memory of 2772 1532 cmd.exe w32tm.exe PID 1532 wrote to memory of 2772 1532 cmd.exe w32tm.exe PID 1532 wrote to memory of 2772 1532 cmd.exe w32tm.exe PID 1532 wrote to memory of 1564 1532 cmd.exe dwm.exe PID 1532 wrote to memory of 1564 1532 cmd.exe dwm.exe PID 1532 wrote to memory of 1564 1532 cmd.exe dwm.exe PID 1564 wrote to memory of 1256 1564 dwm.exe WScript.exe PID 1564 wrote to memory of 1256 1564 dwm.exe WScript.exe PID 1564 wrote to memory of 1256 1564 dwm.exe WScript.exe PID 1564 wrote to memory of 828 1564 dwm.exe WScript.exe PID 1564 wrote to memory of 828 1564 dwm.exe WScript.exe PID 1564 wrote to memory of 828 1564 dwm.exe WScript.exe PID 1256 wrote to memory of 1464 1256 WScript.exe dwm.exe PID 1256 wrote to memory of 1464 1256 WScript.exe dwm.exe PID 1256 wrote to memory of 1464 1256 WScript.exe dwm.exe PID 1464 wrote to memory of 2960 1464 dwm.exe WScript.exe PID 1464 wrote to memory of 2960 1464 dwm.exe WScript.exe PID 1464 wrote to memory of 2960 1464 dwm.exe WScript.exe PID 1464 wrote to memory of 2760 1464 dwm.exe WScript.exe PID 1464 wrote to memory of 2760 1464 dwm.exe WScript.exe PID 1464 wrote to memory of 2760 1464 dwm.exe WScript.exe PID 2960 wrote to memory of 2964 2960 WScript.exe dwm.exe PID 2960 wrote to memory of 2964 2960 WScript.exe dwm.exe PID 2960 wrote to memory of 2964 2960 WScript.exe dwm.exe PID 2964 wrote to memory of 2368 2964 dwm.exe WScript.exe -
System policy modification 1 TTPs 21 IoCs
Processes:
dwm.exedwm.exed67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3yp8Lh1nvX.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2772
-
C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9134db37-908c-4b12-8154-6872eb89f89b.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1464 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ef3bd7f-27d8-4e40-a9ea-25b2948042f2.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2964 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9814e38-6d80-41d9-9906-d36b3bb5075a.vbs"8⤵PID:2368
-
C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:356 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\714850e1-a388-4ed6-87ee-c07bc82a70f1.vbs"10⤵PID:2416
-
C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1568 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6531ce0e-8e9c-42ec-af19-042b51cdd3c8.vbs"12⤵PID:1956
-
C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6eba3c7-eaa4-48fb-b106-55e8c1e08021.vbs"14⤵PID:1680
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac8e8718-061d-43e2-902f-e6527e055f53.vbs"14⤵PID:1672
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b2e935-933f-4737-a8f7-7e5f68b9f9c4.vbs"12⤵PID:2372
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e267d95c-20ad-4ce0-a1a7-b5fbb846c075.vbs"10⤵PID:2616
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c816ef90-c2c0-4528-a898-094a42074b6b.vbs"8⤵PID:1364
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6a85ec2-deac-4ec4-8695-07e27c00e29e.vbs"6⤵PID:2760
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58c75df5-17af-4ea8-a9ca-29efd4cbb70e.vbs"4⤵PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d67c083b7f55c40deae2ac79549d0a70_NeikiAnalyticsd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Default User\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d67c083b7f55c40deae2ac79549d0a70_NeikiAnalyticsd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Logs\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5a9382b0e5528f538177a02ac9485e0f4
SHA1cf257b4b581a1ae426d8ec96f2f18b963909a34c
SHA256e1bf9aa08427c45662b6551d255a7e9bbb9298703f0f6df816605ebfbd7b862e
SHA512e823d0a7b2b44fe45ebdc02504966b718e1d0dad6e2b1942bc471ab01f63c5cc70039a5d336b2d36b4f3846f75983c2d3f50016f76e31c288e0315a28610160f
-
Filesize
3.2MB
MD53a33e5a04cd8b8c8307752388207dc1a
SHA1fb57277e38b57f85af77a31200de26063d7df85f
SHA256953cf28191b60da96eb3e87d8408aaa7c01c6223c08e0adad7671f4f27e695c4
SHA512dcf381697fb724671122a58bbbe7def5ac6902c724570cd8ffe228749d4ad0b4d0356b91722f7586d0dfd7b8a7940619e2a53a5354c8bf810771a8e8454c0ffd
-
Filesize
3.2MB
MD5d67c083b7f55c40deae2ac79549d0a70
SHA1c47be45497fe044d732a847a21b7b2be0172c8c5
SHA256ba381b7847ed129aa068cee625f78d7a8ec511a55d55feb86e22159ab43b6357
SHA5122fb0a24efd4e6349cc1f0f4193ac1b512dcb679478b65f51fb967b6c736192eb0e161e7020756e4a9ce03f89aae7789bac5ce57c0968ee60b095a25654511d6d
-
Filesize
3.2MB
MD5c2e6edfcd164140d119c34b8d87846e7
SHA1e5ba0d0054ce6ed33380d1725494e0165fb054ed
SHA2568085200e428b8bb216943bf5a1cf9be4227616ba36559eadf695ee562f4347c7
SHA512da571d98d4ada33bff0f576255071742bdb4e560274342683edb9fdb0a55d786799c3edcc4a4764942c0031fe36cc6eeceef33ea112db67b020d8fae549c6bd6
-
Filesize
721B
MD52ba016bd7f779a60a1cf08aeb927c521
SHA18f1fa1df85ea1c3021ffabe37a72751f088bc5fa
SHA2562a7187d2856eb5fa697eb040bb130c69b4a562e52a09a9654520e16baa04a9cc
SHA512cd145fe7146da2dd24b2c3aa2243981f2d8caae27165c0b4b499cc1d74add3f55036535514a134a2c468f35655ce755e3eac5b1f5df0c97a709b82b82e79693c
-
Filesize
210B
MD5d98553e5cad699375e6f5609503766ea
SHA148f1207aae37d2b57cfb45744946b033fcec28a0
SHA2560f029a31cb333eaf2154dc3f30d45046f231bb5d34028ef1ba2925350d37e2ca
SHA512938978a305c004d146b821111abcfe2570477c4355cd46a800ee9e8d53d3652717990f8f52c120c976170fa2b639203a632e062aaa39e37dfb23875d802ac5a9
-
Filesize
497B
MD555d194b3f7b4a49c4b52c62036e2071f
SHA1d6985145b3e9618ab02ce8e6307dcc6e80907002
SHA2565063cf201d635d92ab187f0ae47405607a55b099cc0ee6c162a0246f9854c337
SHA512a0f8744a3ab4c2d3d64c4cc20d3b85fa751be415b5b742dfca02e3ce7e967168e575c43bd2f9e7bc69906478b7a9af57e32d3c1e3cd6ef54cfa4a04176c3cec3
-
Filesize
721B
MD57fb92710702106d4902aa38dd194e831
SHA1f52f00ab9f0c3d8f1ecdec5d08d7871f58e4104d
SHA256c16f57af284e584ec44a41a487da675d0617b6a6609e5a14ae4f92d29c80ec09
SHA51297086aa014a2f63c9b0d67166b7dd3d92500faeb997d72f1e4c9027bf60454c7cd3df4faa6eeb470145e4326efeb7b89c80c0604267574ac1fc8df7ce3f84d80
-
Filesize
720B
MD52db7e84b39a0eff0e971a663dedc925b
SHA18f66d477d16dc346f1b09a4fe7aa855cfd20d0ea
SHA2562a04bc334688368354f1b801957592fbc60ef723802fe50942c28c9a973df436
SHA512c0285a40ad82505289ffd86c72e321de7a14345db0996942343d63c3d89ca5ec0f8e64f0721df5dc70950fbbbb9916907a10089f39bbbb6871237ba62adb48df
-
Filesize
721B
MD57dcbe23f4b0b76096638647aa5cf0767
SHA1f221e39534e2a5e7ec5bae2325a0e331d7028a17
SHA2566905faf0688998490a3e9eb8a0e5d9e44f437a71139c5ae8b63e341f03b4e1ee
SHA512ba23fc15f030b381a6c57ae41b3f4880009391e4578986be1ac13c8740f66900335439635b7f0cbda6f8fc7e29105e5c4a26be9ec4e66a43c8944b24116f76b2
-
Filesize
721B
MD51ff1fd826a3801df7dcf0216a07e8191
SHA1fd8adc92eac578cb0197d19faa37b353a3497fd9
SHA256d6bdc85b1972d4ddf0f5aaa57d006e0445abb8f1ac6781a1f2f4cec065fea43e
SHA512eaea1a9a239d6008b411f215ee06598ecb14398c25272c221d2a1e6b7eac7a8b22526cbc7013a532bd666ca0c2cbb349b970db0f1b43508b934bc4b40202cfa7
-
Filesize
721B
MD55210ab4f6aef9e325d8c71ccee5ed4fd
SHA129ca1e9f88c72114f58ded432f82b0d5c73d577d
SHA2565537e4b3f6d6a5b1e618288a1f49aef6335ce7af78d7fe2b5b025ecd94aba5c6
SHA512aee56b18856601cb7aa331c8da7cabf31b04af9e4e6378b21b1e7b74ac130972f9e525d662584b6304252df8577414dca7cca42c2c78f060d5630521a22164dd
-
Filesize
3.2MB
MD5eebb17b29687bc43259824ce63c5e613
SHA1078522051bf1f3a997b6f22f182080703decee4d
SHA256bb8a31d97262f91161a5bfc00285daf29da15ea036c6ba82508ebc7319fdd0b1
SHA5123204df660da0ec97c43c114f98fab70bb339ccef345fbef434606404cad37851e9615847a659ad904463b2b547e6d612e25b0121633b8d128e73bc09fae9abfe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50c593b918755e4b8a6cfcab58f085055
SHA16ebae35451c5dd70d39ab2acc69aa3eb1bb646c3
SHA256f9cfc437ca8b28fa7ca4814a1a355f23c3f61d9fc72ceb9170e4c15fbc504c66
SHA512a8db93afea73a749155cef28e14cea256b62078d0e2af576f69ccbe354c0fb8b87d7ac8243b41179c65b656117440fcd2a344106c0dd59107c912f2b6a5d540b
-
Filesize
3.2MB
MD589ff31d6a931341d5a995367563b009c
SHA15ce3cc6ed6d60539df9a8f3a0a4fdc1caedc3c37
SHA25632c54d19bd25400ce79156134decf0fb9f8b60af4348b9c51d2191d0e24fc5f4
SHA512324de36b3d825752cb0be531e06c50ef5546eacca055709a97901abb1b723901f4d9ada8edfd7306aefcdf337b93ae8a7d5a4662820ac145fe36f8750a0b69fc
-
Filesize
3.2MB
MD5f51362637a046fb59a57a28a7429ce7f
SHA186f4b73d317aca098c5562b2d64774effffb3154
SHA25681a54ea1e6061a553c5faae1bd832d1b73b6ecc5e99f560a07d5acbf3eb7f16f
SHA51246d63189f2ea296d39b4b957d6562c0937a3e4ca0177af927dc2a336c7901a827ab9b80a03e9c2711e3a0cf6beca3c9e6920ae2701fe3b3c83a82f06fc102536