Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 01:57
Behavioral task
behavioral1
Sample
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
78e93535702e2a553d85bac1d4737210
-
SHA1
572ed789a4da08d6c3cc770b4b49bb6d6a4ea75f
-
SHA256
b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb
-
SHA512
ad2ff42ed3569df69618af61d3732744c3aa713816709dbe53b11ee07df97f744acd99c26155485a3dac76a4576592e181e3198bbaad86009de716b72a183baa
-
SSDEEP
49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 300 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 712 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 412 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 2452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2452 schtasks.exe -
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe -
Processes:
resource yara_rule behavioral1/memory/1664-1-0x0000000001140000-0x0000000001426000-memory.dmp dcrat C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe dcrat C:\Users\Admin\Downloads\lsass.exe dcrat C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RCX3CC2.tmp dcrat behavioral1/memory/2844-253-0x0000000000BA0000-0x0000000000E86000-memory.dmp dcrat behavioral1/memory/1804-264-0x0000000001040000-0x0000000001326000-memory.dmp dcrat behavioral1/memory/988-276-0x0000000000300000-0x00000000005E6000-memory.dmp dcrat behavioral1/memory/2376-288-0x0000000000230000-0x0000000000516000-memory.dmp dcrat behavioral1/memory/2008-301-0x0000000000A50000-0x0000000000D36000-memory.dmp dcrat behavioral1/memory/1400-313-0x0000000000DC0000-0x00000000010A6000-memory.dmp dcrat behavioral1/memory/1616-325-0x0000000000130000-0x0000000000416000-memory.dmp dcrat behavioral1/memory/1808-337-0x00000000009F0000-0x0000000000CD6000-memory.dmp dcrat behavioral1/memory/1952-349-0x0000000000ED0000-0x00000000011B6000-memory.dmp dcrat behavioral1/memory/1524-373-0x00000000002F0000-0x00000000005D6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2540 powershell.exe 2444 powershell.exe 324 powershell.exe 1256 powershell.exe 2088 powershell.exe 2096 powershell.exe 2224 powershell.exe 2104 powershell.exe 2080 powershell.exe 2076 powershell.exe 2644 powershell.exe 2492 powershell.exe -
Executes dropped EXE 11 IoCs
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exepid process 2844 smss.exe 1804 smss.exe 988 smss.exe 2376 smss.exe 2008 smss.exe 1400 smss.exe 1616 smss.exe 1808 smss.exe 1952 smss.exe 272 smss.exe 1524 smss.exe -
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Drops file in Program Files directory 24 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX2273.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\cc11b995f2a76d 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\f3b6ecef712a24 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\0a1fd5f707cd16 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCX35DD.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX3EC6.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Uninstall Information\services.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\RCX37E0.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Uninstall Information\services.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\6203df4a6bafc7 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\winlogon.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\ja-JP\RCX2B5C.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\RCX2D60.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\winlogon.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe -
Drops file in Windows directory 24 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exedescription ioc process File created C:\Windows\Offline Web Pages\spoolsv.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\Offline Web Pages\f3b6ecef712a24 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\debug\WIA\sppsvc.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\debug\WIA\0a1fd5f707cd16 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\Migration\WTR\lsass.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\security\templates\csrss.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\Migration\WTR\RCX1E6B.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\Offline Web Pages\spoolsv.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\Media\Festival\sppsvc.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\RCX4137.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\Migration\WTR\6203df4a6bafc7 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\security\templates\886983d96e3d3e 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\L2Schemas\explorer.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\L2Schemas\7a0fd90576e088 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\debug\WIA\sppsvc.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\Media\Festival\RCX33D9.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\debug\WIA\RCX28EB.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\explorer.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\Media\Festival\sppsvc.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\Media\Festival\0a1fd5f707cd16 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\Migration\WTR\lsass.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\Offline Web Pages\RCX206F.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\security\templates\RCX267A.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\security\templates\csrss.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2608 schtasks.exe 800 schtasks.exe 1332 schtasks.exe 1872 schtasks.exe 1692 schtasks.exe 3064 schtasks.exe 2396 schtasks.exe 2328 schtasks.exe 2196 schtasks.exe 1820 schtasks.exe 2732 schtasks.exe 1028 schtasks.exe 712 schtasks.exe 612 schtasks.exe 1860 schtasks.exe 2708 schtasks.exe 2124 schtasks.exe 2428 schtasks.exe 796 schtasks.exe 1672 schtasks.exe 872 schtasks.exe 1736 schtasks.exe 916 schtasks.exe 2680 schtasks.exe 1536 schtasks.exe 696 schtasks.exe 988 schtasks.exe 1924 schtasks.exe 2276 schtasks.exe 1712 schtasks.exe 2784 schtasks.exe 2052 schtasks.exe 328 schtasks.exe 2480 schtasks.exe 2444 schtasks.exe 2768 schtasks.exe 2704 schtasks.exe 764 schtasks.exe 284 schtasks.exe 1544 schtasks.exe 1968 schtasks.exe 2288 schtasks.exe 2464 schtasks.exe 2224 schtasks.exe 784 schtasks.exe 300 schtasks.exe 1340 schtasks.exe 1636 schtasks.exe 1252 schtasks.exe 2148 schtasks.exe 2924 schtasks.exe 1980 schtasks.exe 3044 schtasks.exe 412 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exepid process 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 2104 powershell.exe 2540 powershell.exe 2644 powershell.exe 2088 powershell.exe 2492 powershell.exe 2224 powershell.exe 2080 powershell.exe 2076 powershell.exe 324 powershell.exe 1256 powershell.exe 2096 powershell.exe 2444 powershell.exe 2844 smss.exe 1804 smss.exe 988 smss.exe 2376 smss.exe 2008 smss.exe 1400 smss.exe 1616 smss.exe 1808 smss.exe 1952 smss.exe 272 smss.exe 1524 smss.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exedescription pid process Token: SeDebugPrivilege 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 324 powershell.exe Token: SeDebugPrivilege 1256 powershell.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2844 smss.exe Token: SeDebugPrivilege 1804 smss.exe Token: SeDebugPrivilege 988 smss.exe Token: SeDebugPrivilege 2376 smss.exe Token: SeDebugPrivilege 2008 smss.exe Token: SeDebugPrivilege 1400 smss.exe Token: SeDebugPrivilege 1616 smss.exe Token: SeDebugPrivilege 1808 smss.exe Token: SeDebugPrivilege 1952 smss.exe Token: SeDebugPrivilege 272 smss.exe Token: SeDebugPrivilege 1524 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.execmd.exesmss.exeWScript.exesmss.exeWScript.exesmss.exedescription pid process target process PID 1664 wrote to memory of 2540 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2540 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2540 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2076 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2076 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2076 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2644 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2644 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2644 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2080 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2080 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2080 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2104 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2104 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2104 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2224 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2224 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2224 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2096 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2096 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2096 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2088 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2088 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2088 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 1256 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 1256 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 1256 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 324 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 324 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 324 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2492 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2492 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2492 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2444 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2444 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2444 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1664 wrote to memory of 2680 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe cmd.exe PID 1664 wrote to memory of 2680 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe cmd.exe PID 1664 wrote to memory of 2680 1664 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe cmd.exe PID 2680 wrote to memory of 2196 2680 cmd.exe w32tm.exe PID 2680 wrote to memory of 2196 2680 cmd.exe w32tm.exe PID 2680 wrote to memory of 2196 2680 cmd.exe w32tm.exe PID 2680 wrote to memory of 2844 2680 cmd.exe smss.exe PID 2680 wrote to memory of 2844 2680 cmd.exe smss.exe PID 2680 wrote to memory of 2844 2680 cmd.exe smss.exe PID 2844 wrote to memory of 2924 2844 smss.exe WScript.exe PID 2844 wrote to memory of 2924 2844 smss.exe WScript.exe PID 2844 wrote to memory of 2924 2844 smss.exe WScript.exe PID 2844 wrote to memory of 2912 2844 smss.exe WScript.exe PID 2844 wrote to memory of 2912 2844 smss.exe WScript.exe PID 2844 wrote to memory of 2912 2844 smss.exe WScript.exe PID 2924 wrote to memory of 1804 2924 WScript.exe smss.exe PID 2924 wrote to memory of 1804 2924 WScript.exe smss.exe PID 2924 wrote to memory of 1804 2924 WScript.exe smss.exe PID 1804 wrote to memory of 2284 1804 smss.exe WScript.exe PID 1804 wrote to memory of 2284 1804 smss.exe WScript.exe PID 1804 wrote to memory of 2284 1804 smss.exe WScript.exe PID 1804 wrote to memory of 2188 1804 smss.exe WScript.exe PID 1804 wrote to memory of 2188 1804 smss.exe WScript.exe PID 1804 wrote to memory of 2188 1804 smss.exe WScript.exe PID 2284 wrote to memory of 988 2284 WScript.exe smss.exe PID 2284 wrote to memory of 988 2284 WScript.exe smss.exe PID 2284 wrote to memory of 988 2284 WScript.exe smss.exe PID 988 wrote to memory of 1736 988 smss.exe WScript.exe -
System policy modification 1 TTPs 36 IoCs
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exesmss.exesmss.exesmss.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YD2Vui68H4.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2196
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb0bdaa7-9959-44b3-b275-374c23ad3dbc.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\253cfe41-456b-4717-828b-437aed799842.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a51755b3-c6df-49e0-84af-fe8af15f789c.vbs"8⤵PID:1736
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2376 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8f0c640-1635-45c6-9063-0d28594d2599.vbs"10⤵PID:1948
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2008 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dd08480-8628-4cee-9175-699b2c66e957.vbs"12⤵PID:2792
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1400 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9251f47c-65a6-4c9d-a482-2abb570dde81.vbs"14⤵PID:1028
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c46e484-0032-424b-92cf-c0b0f37b9fc9.vbs"16⤵PID:1700
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1808 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b73624-ddb4-4c31-8677-d0856c66f541.vbs"18⤵PID:1096
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1952 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8697ec9-b9e3-439a-8b53-dbb4966a7231.vbs"20⤵PID:588
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:272 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7f26326-349f-4229-b1e3-0ad737bc2fcc.vbs"22⤵PID:2388
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7daee9d-82b9-4f22-a005-16c8163551ed.vbs"24⤵PID:1636
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\734fcb3a-0633-4c18-8dbb-faf65501af97.vbs"24⤵PID:932
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5461f44-f0e2-41e9-a039-50115ad6a6e3.vbs"22⤵PID:2772
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f86e840-b08f-466c-aaa5-cd3b2caafc51.vbs"20⤵PID:2980
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08597b29-db66-4aa1-b040-ee44b0a0b9c0.vbs"18⤵PID:2948
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\363490ec-67ae-4630-acb1-1fd1655d4903.vbs"16⤵PID:988
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ff150a1-e436-4a07-aee7-fe560b0c5d25.vbs"14⤵PID:1760
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b37cde5-6c51-43c0-aebf-5e27ad6daf7f.vbs"12⤵PID:1928
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\958268e6-247d-499a-80f9-17f84dedb9b3.vbs"10⤵PID:1036
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf1c885f-f97d-46b0-8fdc-447da0d21c07.vbs"8⤵PID:888
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f7105e9-eb91-440a-b555-39f520978e6d.vbs"6⤵PID:2188
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82436d53-5309-40f3-ac36-a474d00d2904.vbs"4⤵PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\security\templates\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\templates\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\security\templates\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Festival\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD520031fc68f0287c5c554218150f79ff9
SHA1cede0659c8d1c8eb7b655c81a0d61a51cf00a002
SHA256b420d44742a0ab56d0385b0c546d40f5e3038c19f3cde5621969c75709e60562
SHA51209fac858adeb33fcbced8e81d4469879fc56124e84bafbb2bae855f75dbdb453f7c03645c10ffc1a8fc774a7fa66a6151e575eec08d82ffa55202dfdbc492452
-
Filesize
2.9MB
MD578e93535702e2a553d85bac1d4737210
SHA1572ed789a4da08d6c3cc770b4b49bb6d6a4ea75f
SHA256b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb
SHA512ad2ff42ed3569df69618af61d3732744c3aa713816709dbe53b11ee07df97f744acd99c26155485a3dac76a4576592e181e3198bbaad86009de716b72a183baa
-
Filesize
747B
MD5154819491185874064c767d305e2eab4
SHA1fca4bedf5e7b6698c45c3773676a6d915da28c3b
SHA2569ce4378ecfd00b3baaba3d624b01eee1fe27b84208844842d4c8d697bc4bfb2a
SHA5122fcb19db7f62b522dda634fcb24ac6c62b671a58f48d3c9d01feec1a97021156690e4084db8c655db67335afdf0f0c8f363bfebf0baccd36c55b387242e4a30b
-
Filesize
747B
MD5084bda8846a94ddeef39f7b26f144eff
SHA1b964d0737e9fd47f4d7b5178b9771097fc2c0f35
SHA25629a152012198221e85069de7c6f8ce93520b7c982305c0f5b36cc3d09bc0b11a
SHA5126e12c0402fd2193f2813161fb0caa2c2599086f2f2d1b887ace7d8446857549dd3318f9113ee477f59d8168266f52b6a2cee6b1b32622ef8e77c02dc33a5ea6d
-
Filesize
747B
MD5dea094c89327c1a808c6b03204fec474
SHA13e571b0c5b4902768f4b3284f67cb5183b592e8e
SHA256066716605382ea79189b55f7cce2a499b71db683f94507cde0ebb338f0661d59
SHA512ec25f852aead5c86c5ef699708887411d1ec18ceacb06ddee930dc49074339b1b45018e29302587f4e66f6312c5401b9a9578252d7297d24ce9540e46c3f5799
-
Filesize
523B
MD5723ab8a3ff7d35ef61be780666977299
SHA1cbfd0b1f2af3d8b3c58d8ccc9c9ded007730f362
SHA2565af77708f82c7dba36f6ea946165df1e338d6e1583f1e2514773b37b37919740
SHA512bfa61488798ab0e14a24bc692261e3950ae9c369529c12be20c5ca7bc19084654026f8c46342c929aa74d9077b2e44a49b6b2eb20ee18ad846476f58c4b11355
-
Filesize
747B
MD5749ff186579355df3cdbfb661e2274b1
SHA1b3ddc957afa29e3f4f1e3e6afc2e0a184643624b
SHA2569867401ac07a54391e088079f1e2818b527fa674ad2c75df993e39a4fa63febe
SHA51227f2960818ea6a64ec2744f61dfe87ae3e61efef905ec1ef190414428a5ac2b2a9e4415bba9cad67acc5d12debfa892c3543374c6ce55d96acfd4d0a1ec3c7b6
-
Filesize
236B
MD5d2ce7ce9a8e2ab1c085033f49ce8015c
SHA1e9878170b38faec1c3efc484d29bc3716a571d0d
SHA2563f8bc9b4d859cc0b2a603b0a23a37298404f40345b83efd244bf232d8255ee08
SHA51260cc2fc0204061fcf87e4fb21c3ab2b9a1a67bac44ea06981c92c28239c4da11c6b63a92f625e3fb555c3ceeaedde1fbb52759f0c8d7ad1c0557df1e1468f1f9
-
Filesize
746B
MD565ccb9147cc9900deaa2a69505bc49b7
SHA139dc7e382672396387fe948d483cbd610952eb42
SHA2569cabc068ba637f4fa74527f02fdd2e200ac59d60fd8852531460893e8c0e38ee
SHA5126d46cfa2a282a3d8e98d6ae39f340652be04bd076afe21bda665afa33642ee1429ed7eb5924bbf928a9bb77601a08b5611e5a98a5813818efcb6085fe247d03e
-
Filesize
746B
MD5e29ab1a66e95b15de4f3fab6241ad19c
SHA12c1ba3bfd234c03db393761947bf59c7c8891d86
SHA2561c99f002f265f28c19fd2d1eb6573fdb0c05b0163ab537c29cd9827ad7f51217
SHA512e812b972ff0cc24c47742b9193c64e6f25c465e03d08f4adc0b68c11a06337c2a9e8b16903ccf816dff4479c4f38ce1dbd8fc627f648ec19d611bc240e5190eb
-
Filesize
747B
MD59abd9041435a9a1662da5781f087544c
SHA1440457fb568926a0466cdd02740d42df41dd2c4a
SHA256b277f2c28447a162d33d25f98dc1c346af688192cc450aa163b9fd3b3e1f6953
SHA51299103fbaebb22e79b5b28297fed2ea8fb9c4294531f92afa00399e98a257d90de6afe2339c1381e5b1773b67b24d1188f8e30203c049b689215530b2ad5f5db9
-
Filesize
747B
MD5bbe489cf2fb9fd19825a267868cd4837
SHA150827a3cf4033385fbe711cbdbd97f2a6a1f05ea
SHA256243380e433181ab5c8ac8c7221d3ab6aced2290284706aca85ed4c70b599a12b
SHA5127aa7dc5a3059c012648692867b2745309b0fb99358cb19fca13f7395a648923606e672a112162c5586bd6f39818050ee3d7606ccb166ca120fc7990903f5518f
-
Filesize
747B
MD5e203d872550b3edbc19e33c970362f28
SHA13439b0a8d615edecc31e9ab21f3a1258ca3129ac
SHA2561b9c328e94bb75dfce82d5b6eeea722e9f6df75a09951c91c88e1cb6401cb8b2
SHA5129f990eedec706537f2392337c0c9cc39b88f23d0c9c67f8f4a881712f9171b3b3f22f1f44737572ee6e61b4c36f6c653ce5689b511ecff5d6c9343d73bb42da9
-
Filesize
747B
MD57935ab7aab8aeeef9cb5017464e1bd26
SHA1b608350eba8781af1ab45678ffa33f2321db3dc6
SHA256966def9e0ac621d7f15ce7dd6d7819fcc3be8d3202f564a29d5d6fc17aecdb0f
SHA51222068df16ca472e96a0c4fa05e8c37f71f71ee8f382c5767b3050cf106ef09d3d7ac3b7bb5ca6eddff1072131cc451aeb3046de239df8aa09b30f39b91ea3812
-
Filesize
747B
MD556f85821cb29ab7f4699d7dab7210628
SHA1b4ee699e9619d1cf07f3b031bdd823488d8c555e
SHA25679f46a7cb87b06faaba0abf9e7263b90c844edf2cc8c994a4118456e20634406
SHA51250b88774700fbdb4673b1d1f17d9ce8250b995a4fafb985d465410961f58a7f4ce32d3ca3a940887ce95608d07423dd03987478e8606a3af4558e539b5c59ea9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52f7e0827bd66c30c0448e0e53ab8e3cd
SHA1687002a7fef17843fa22ac3fda77cf7fc747dd1c
SHA25646bb4517067409bf6deef0d56bce94a6dc13e9d6357e70dd84423aa9fbffe4e6
SHA51276bc6bd81fad46d928cca300d63427b7a65e02f40a4f36e0cd55eb9ea17a34dc108a0dd5e3849ed598eda41e3718aef031d512b947310a430483ed3b5aba7cec
-
Filesize
2.9MB
MD59e975e4571f20460374c62ea829340aa
SHA125b227e24e881e1cce4369c3c65c3ba607afbbc4
SHA25677f6112d0389830cb25aab10c52c379a96b5eb410b8588fad32fa9e4e27523b2
SHA512bcacf613713f7c529179cf9c6ca052bde56a266a162c7d867a7a6866c21c2a2e303940841a03d078dc9b751b6920fbbfc9648af87bff29de3085d42d2953797d