Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 00:58
Behavioral task
behavioral1
Sample
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
6a9aaa3fc23d1561df97e3f9eb2de110
-
SHA1
d0effad0bad292fb0bcb377cbafacd8db83a474e
-
SHA256
9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565
-
SHA512
7350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c
-
SSDEEP
49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2728 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2728 schtasks.exe -
Processes:
Idle.exeIdle.exeIdle.exe6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe -
Processes:
resource yara_rule behavioral1/memory/2424-1-0x00000000003C0000-0x00000000006A6000-memory.dmp dcrat C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe dcrat C:\Windows\Help\OEM\lsm.exe dcrat behavioral1/memory/2236-211-0x0000000000E30000-0x0000000001116000-memory.dmp dcrat behavioral1/memory/2884-278-0x00000000011B0000-0x0000000001496000-memory.dmp dcrat behavioral1/memory/2492-301-0x0000000001200000-0x00000000014E6000-memory.dmp dcrat behavioral1/memory/1520-348-0x00000000001D0000-0x00000000004B6000-memory.dmp dcrat behavioral1/memory/2556-361-0x0000000000CD0000-0x0000000000FB6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2668 powershell.exe 2624 powershell.exe 2704 powershell.exe 2736 powershell.exe 2072 powershell.exe 2116 powershell.exe 2808 powershell.exe 2644 powershell.exe 2676 powershell.exe 2740 powershell.exe 1576 powershell.exe 3028 powershell.exe -
Executes dropped EXE 14 IoCs
Processes:
Idle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exepid process 2236 Idle.exe 2436 Idle.exe 1988 Idle.exe 1576 Idle.exe 2676 Idle.exe 2204 Idle.exe 2884 Idle.exe 1736 Idle.exe 2492 Idle.exe 2088 Idle.exe 1948 Idle.exe 2504 Idle.exe 1520 Idle.exe 2556 Idle.exe -
Processes:
Idle.exeIdle.exeIdle.exe6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe -
Drops file in Program Files directory 12 IoCs
Processes:
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Google\Chrome\Application\lsass.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Office14\RCX13D2.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\es-ES\RCX1C4E.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\RCX28D2.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\lsass.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Office14\csrss.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\es-ES\Idle.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\es-ES\6ccacd8608530f 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\es-ES\Idle.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Office14\886983d96e3d3e 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files\Google\Chrome\Application\6203df4a6bafc7 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Office14\csrss.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe -
Drops file in Windows directory 12 IoCs
Processes:
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exedescription ioc process File created C:\Windows\CSC\csrss.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Windows\Help\OEM\RCX1142.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Windows\Help\OEM\lsm.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Windows\CSC\csrss.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Windows\ShellNew\RCX1E52.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Windows\ShellNew\Idle.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Windows\Help\OEM\lsm.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Windows\Help\OEM\101b941d020240 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Windows\CSC\886983d96e3d3e 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Windows\ShellNew\Idle.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Windows\ShellNew\6ccacd8608530f 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Windows\CSC\RCX15D6.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1824 schtasks.exe 1532 schtasks.exe 2552 schtasks.exe 2768 schtasks.exe 1724 schtasks.exe 2028 schtasks.exe 2616 schtasks.exe 2748 schtasks.exe 2692 schtasks.exe 1564 schtasks.exe 2088 schtasks.exe 3024 schtasks.exe 1984 schtasks.exe 1340 schtasks.exe 2052 schtasks.exe 2896 schtasks.exe 1420 schtasks.exe 2232 schtasks.exe 2060 schtasks.exe 1548 schtasks.exe 1080 schtasks.exe 2044 schtasks.exe 2520 schtasks.exe 2760 schtasks.exe 316 schtasks.exe 2952 schtasks.exe 484 schtasks.exe 2580 schtasks.exe 2196 schtasks.exe 2880 schtasks.exe 2340 schtasks.exe 2876 schtasks.exe 3020 schtasks.exe 2576 schtasks.exe 688 schtasks.exe 3016 schtasks.exe 1188 schtasks.exe 1788 schtasks.exe 468 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exepid process 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 2116 powershell.exe 2808 powershell.exe 2740 powershell.exe 1576 powershell.exe 2644 powershell.exe 2704 powershell.exe 3028 powershell.exe 2736 powershell.exe 2072 powershell.exe 2624 powershell.exe 2676 powershell.exe 2668 powershell.exe 2236 Idle.exe 2436 Idle.exe 1988 Idle.exe 1576 Idle.exe 2676 Idle.exe 2204 Idle.exe 2884 Idle.exe 1736 Idle.exe 2492 Idle.exe 2088 Idle.exe 1948 Idle.exe 2504 Idle.exe 1520 Idle.exe 2556 Idle.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exedescription pid process Token: SeDebugPrivilege 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2236 Idle.exe Token: SeDebugPrivilege 2436 Idle.exe Token: SeDebugPrivilege 1988 Idle.exe Token: SeDebugPrivilege 1576 Idle.exe Token: SeDebugPrivilege 2676 Idle.exe Token: SeDebugPrivilege 2204 Idle.exe Token: SeDebugPrivilege 2884 Idle.exe Token: SeDebugPrivilege 1736 Idle.exe Token: SeDebugPrivilege 2492 Idle.exe Token: SeDebugPrivilege 2088 Idle.exe Token: SeDebugPrivilege 1948 Idle.exe Token: SeDebugPrivilege 2504 Idle.exe Token: SeDebugPrivilege 1520 Idle.exe Token: SeDebugPrivilege 2556 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.execmd.exeIdle.exeWScript.exeIdle.exeWScript.exeIdle.exedescription pid process target process PID 2424 wrote to memory of 1576 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1576 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1576 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2116 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2116 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2116 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 3028 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 3028 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 3028 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2808 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2808 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2808 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2072 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2072 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2072 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2668 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2668 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2668 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2740 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2740 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2740 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2736 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2736 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2736 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2704 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2704 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2704 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2676 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2676 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2676 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2624 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2624 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2624 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2644 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2644 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2644 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1628 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe cmd.exe PID 2424 wrote to memory of 1628 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe cmd.exe PID 2424 wrote to memory of 1628 2424 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe cmd.exe PID 1628 wrote to memory of 2328 1628 cmd.exe w32tm.exe PID 1628 wrote to memory of 2328 1628 cmd.exe w32tm.exe PID 1628 wrote to memory of 2328 1628 cmd.exe w32tm.exe PID 1628 wrote to memory of 2236 1628 cmd.exe Idle.exe PID 1628 wrote to memory of 2236 1628 cmd.exe Idle.exe PID 1628 wrote to memory of 2236 1628 cmd.exe Idle.exe PID 2236 wrote to memory of 2080 2236 Idle.exe WScript.exe PID 2236 wrote to memory of 2080 2236 Idle.exe WScript.exe PID 2236 wrote to memory of 2080 2236 Idle.exe WScript.exe PID 2236 wrote to memory of 880 2236 Idle.exe WScript.exe PID 2236 wrote to memory of 880 2236 Idle.exe WScript.exe PID 2236 wrote to memory of 880 2236 Idle.exe WScript.exe PID 2080 wrote to memory of 2436 2080 WScript.exe Idle.exe PID 2080 wrote to memory of 2436 2080 WScript.exe Idle.exe PID 2080 wrote to memory of 2436 2080 WScript.exe Idle.exe PID 2436 wrote to memory of 1416 2436 Idle.exe WScript.exe PID 2436 wrote to memory of 1416 2436 Idle.exe WScript.exe PID 2436 wrote to memory of 1416 2436 Idle.exe WScript.exe PID 2436 wrote to memory of 2648 2436 Idle.exe WScript.exe PID 2436 wrote to memory of 2648 2436 Idle.exe WScript.exe PID 2436 wrote to memory of 2648 2436 Idle.exe WScript.exe PID 1416 wrote to memory of 1988 1416 WScript.exe Idle.exe PID 1416 wrote to memory of 1988 1416 WScript.exe Idle.exe PID 1416 wrote to memory of 1988 1416 WScript.exe Idle.exe PID 1988 wrote to memory of 1720 1988 Idle.exe WScript.exe -
System policy modification 1 TTPs 45 IoCs
Processes:
Idle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2328
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2236 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49826c25-5c99-4bc1-aa3f-4a738c1ab5e2.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bbdc585-da7f-4571-9fac-1cb196e7f7f4.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54e22a20-532b-4fa5-a601-e7966162b9dc.vbs"8⤵PID:1720
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1576 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab9cc3c9-0286-43f6-beb3-dc9eb48f02b6.vbs"10⤵PID:2088
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd28b351-d58b-4743-95cd-b85d6e0bc30d.vbs"12⤵PID:1236
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2204 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1144ab3c-b35d-41f5-b82d-b7e715f57d14.vbs"14⤵PID:2588
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2884 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3329b7e-3343-4468-87e9-32c0397bd0bc.vbs"16⤵PID:2416
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e29a1080-1ed8-4f23-a275-d0f29b93cf5c.vbs"18⤵PID:2740
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2492 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9be8320-80fa-4dc0-99a4-dfa97402f70f.vbs"20⤵PID:812
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2088 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a07731de-3150-4c5a-bade-fdb118f8f4da.vbs"22⤵PID:1536
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1948 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49a39565-ba88-4436-99d1-f3fdd6b76258.vbs"24⤵PID:2104
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80d6d7fb-e896-49a5-811a-a4e7dd703909.vbs"26⤵PID:1564
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"27⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1520 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6343f0ad-b255-429d-b213-78c192783808.vbs"28⤵PID:2964
-
C:\Program Files\Windows Sidebar\es-ES\Idle.exe"C:\Program Files\Windows Sidebar\es-ES\Idle.exe"29⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\589ef245-c9bb-443e-8ca5-b45d1d50d637.vbs"30⤵PID:556
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ae23af8-939f-4d80-8691-30b9e82ec339.vbs"30⤵PID:1860
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ce710fd-9994-4f5a-bb6a-bb4f08529873.vbs"28⤵PID:2596
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e93b0419-f4e4-49b8-b814-9ca3e3ec3769.vbs"26⤵PID:1504
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a11dd9-cae8-4f9d-970e-3f569a75999a.vbs"24⤵PID:1080
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d085139-99b0-4712-a783-7797906660a5.vbs"22⤵PID:2220
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2627fa4f-d541-46fb-877a-9a70b04b7fe5.vbs"20⤵PID:2440
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f0a07ac-7cc7-422d-b1b8-934afefac1b0.vbs"18⤵PID:2108
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ddce6bb-633c-49a0-baf6-510e9aa6d729.vbs"16⤵PID:484
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3297548-a8f4-4875-8fc1-362465cdbcac.vbs"14⤵PID:1800
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d97d438-9e60-4465-b438-390ce9b614b8.vbs"12⤵PID:3060
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ac1b5e-1d4c-45fd-986f-136b9951809a.vbs"10⤵PID:2052
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4bc378b-678a-4ee0-8826-6b292d37a714.vbs"8⤵PID:2900
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a3c98e-2b1f-4142-acb0-96f19afcaaac.vbs"6⤵PID:2648
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\466efd95-f006-4848-bbaa-281cded59da6.vbs"4⤵PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Help\OEM\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\CSC\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\CSC\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\CSC\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD56a9aaa3fc23d1561df97e3f9eb2de110
SHA1d0effad0bad292fb0bcb377cbafacd8db83a474e
SHA2569ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565
SHA5127350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c
-
Filesize
723B
MD557cbccde450509c6ab09c5d3b1199d8a
SHA13e9ac7caeb054a8ece0b066fd8599e96fff607cb
SHA2565e829a39874046829407ac06056eabbd1da31aabbd9e0b9af94f7256c58e31cf
SHA512e8c58f70b53baa4374fbeaa57060c16041e065d5cdcf7614a741377281ae27ce2e9879ebb460e1cfbe0e2bf0bbfe77960d61c3cae3425b24d7941ac514aa00da
-
Filesize
212B
MD54cee3ee745316361d33736371fae099d
SHA1189c9b3a489a4be6f073d8dd9f63793521083ef0
SHA256881f602be8eff02d6088ff59c4f446f8dbee2e1314b340761054d5d3ca120cfe
SHA512142b43bc4958d3f8b716d54052a3e9ea82b26b7d44bc9f6029fcc4f55fda89b0af653682c109227b249d57fe80cf8a4cb068fff01bf8319e65d239f6e8219aa5
-
Filesize
499B
MD5d279ffeddb672c0574d50fd0603b352c
SHA17e30272da64301c8143262cec0b05efd35c19fb8
SHA256fa6403f7d4faacc86308a9f6bcf34383bcd94a1e57c39c9e48fd0086d0454e49
SHA512dc38dd5b1f5082b433dcf48769372a163fd4aae56706e22a73b5f2dc880f57839cf1987eba5ad688cd46784ad731d1b996fa4639035240e61292a9de687f9909
-
Filesize
723B
MD59c14c796aaaa7a71c730e5faa3597e48
SHA12c3cee02bd3caa7ba8b504a399132036d6abc41e
SHA256869146406fdac76f9f31814d24e2a15306602b95faf517cd834df61fedd7aa39
SHA512a404169f5f92895834c452486fca2fe5e99531471de9021d57d48212daa04400630c02b5cdd0f8aa8bcabe77a71d9d4de2b5e728b7bb64ca4ecf1242400fb992
-
Filesize
723B
MD5f83fd66632482cc8837f21f1260c2a9c
SHA15b398cb7b34313833d88512716b87fc715d6deb7
SHA256213fea3636a3f4cb18bf4e7deefa055bbd7128f778a039ae18b4286aa57d69eb
SHA512a09500ff85e331ed5762d7e864e70dca372c1986f10c92874f48f8fbee5c72178915eb863dbf5f568f27af364600a899bad59f64c454d85db0845ffc7c842966
-
Filesize
723B
MD523f71b5f3305a97992dc772954807b17
SHA15106448da55a9536568fc14064e621c27dc47fe1
SHA256271361ce5b08262507403455f2be075341f12954edf5242c7cd4dbcab15cabdc
SHA512ceb87fea61c4406468099795a7449f5f1a8f30e235d1570443519559c9b4c81d9b0be86845fa9c9f6031066469e29e776aedfddc801fb08dbabb36a7ebb15413
-
Filesize
723B
MD5c364b4d79b175b8b44d50420aacd5b50
SHA11743da052c0588f5e93e42cce8b2e2e36c298d4e
SHA256aeb2531a45d7c56c3ab2bab367cd58e337fcab93fa5d49fc0aee175b69d00c14
SHA512ed03307cd18cc985ab002d9004273e4c143a4e4921d28f968fcff2d78c7df3f3371ad63994bb6b49eb09ac8f20afe64cca4ded60e99ec4187e42cb8f0f853336
-
Filesize
723B
MD5b79027b0a0bf5b17a7e15b95f056d73a
SHA1c659609f22f2610854bed6a84500e61012e4537f
SHA256e63d7237f0ca2aa52dd99a7b424b01caf641a7547c0bd993cb512bd0342a0211
SHA512f7c6afed874444b2a7cb8dc21c5a5221905e5a5bc30a1f54eb12f838f7e8f862f5869895c06b491540234d066537afc51fd4d112080c1585ae0424b3deceb8ca
-
Filesize
723B
MD59aca1ae2c4da37692ef932d77cbe1cd4
SHA1adc19a474ccbf5d684b4d40a0aad6f277daa770b
SHA2568394f54db95eceb863e6b064ec383b6af6dfc3c9e2ba573c83344740c87961d9
SHA51222211aebe13205814abe45b6e384acfd349c5552c73d6b85de7274a6354be74c438f9ac4134444a8c0fcf5b246a6ea4b2dd3f88c947ec323185e75478cb54407
-
Filesize
723B
MD560c81da70dca8a46ccbc7a7b6b742179
SHA11e87b8fe172be8b0967243a92c9bfa4cb8149d90
SHA2568e2ae07b1a1faa45503db9980c0293e86aabd7d0d231f1b557445b82a2a06fc8
SHA5122270a70595d3445dad2ee07ee2772e90cc727a4df3b1deb744e7bada360a7d39eee1b81e65065b04d2f2b738f9f699c99e9483d32fc44c551bfe0a49a618a899
-
Filesize
723B
MD597f9bf57867013cb6778c85684b0f45f
SHA1954cdf489203c6765127ad729d3f711d2fb9acc4
SHA25608cd93e0a3881df5123d50da9d398a5317fb66d560ab45ae6b1cbfabe3ad0021
SHA5121b150acc9d029f1b517def6a7a3714638b3217798dea0f5fa4092996ccf00f199415f93ba96a6291df957e0dc1dd91ec6295e5e928582f642fc4b6f20820dab9
-
Filesize
723B
MD53dba91318ab6b4edadddaeb4b6afbf9b
SHA1911aa03677b68032e72a5e6aa6e4c41d737d7988
SHA2569e06037f15528beabedd5b19cdf2081ab500688614bce1a2ac98ce6705fdeafc
SHA512e94126c2aade4943abda820dc61d6bf4b5b24d1893f6b75b2333d97aa3eb4de32ba118020ff3b75d7fab67bc0b1351ddae3f681cbc48f89cae8eafc646a6b21d
-
Filesize
723B
MD5eceb5c103f395835002b77f022abd363
SHA13adac56971ecc3f5b36d1e9fd59911a34a65d063
SHA256f9291020956e02b71888b7e5b3f18d8a42ba3855de918b9f2a7d3f4aaac03840
SHA5120d70724d96754ed93de42ef65c47a2e988e64ba57527f83d36fa57c9c0b0512bc87b6558841b846f7605f81b9493e696f0e46c1cf7dbb32d0617cecda8bebcee
-
Filesize
723B
MD563d03fd8ec4ebba8c937ec34cabdea8e
SHA13379279e93bbd2beff77b599437343f046905c5f
SHA256da1c497968b43920141acb9ecbe72eeb5d304de585db2ecb24058d06d2871442
SHA512f004a76135b3186376cc766fd99248d7831c974bc2367d72bfb48d07be7f5b0b589c5af40cc05e95bc2618f9372800e666a9af64ef535c3e6ab221beac14c911
-
Filesize
723B
MD517558f8fc91934b0855dde2ee53a1b33
SHA107d0004c9e010e4f51f3f90fd06743b9e0002d11
SHA256fa081074d0e5d0813fff17302feec10cb97c0330e90abc01d55475a66fb646b2
SHA5122b497c895a9124f62c0bcc9c877e8db646830186744bc0681e2cd23ae4e87aa0ff8ef5b7682adcabcacd8379ac28a7fa3049e613d6ce5b1e9aeb5b84e886d165
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD529cc22c9bc4b490cadc2c8f53fbeba1c
SHA18084f70d9d3a21e8842bc38ec4f1d8886f574047
SHA256b63901388181cff633d54e92ad2334c8160bae2484fd59c010a9ff72d91ebf27
SHA51259336a701b951fd5ce04d73bf303971d3ed39d786a54a43811ca2bcbba5df947ebacc69abea0e2556dc6ba85ef21ca87880f42f45bc1b59f265fa85d41a5c1f2
-
Filesize
2.9MB
MD5e17fb157eae52b5f58b87dad6502a016
SHA1cf2fa3279fb7954d22d217944c92857325937906
SHA25650bb441932784356b8610a513d3d014b5318db54b867e5c6328742bd6baa08d3
SHA512a339bd3bfa9db7ccc3bbd84936bfa161102b4039e047e8c236d67d40784c7153062f6c766a72f80c9e5cfe0848d8e38077c925fb79eb55983e4a0a7f1c9f79d4