Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 09:16
Behavioral task
behavioral1
Sample
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
d22bc2c281eda0bd630673443da3d2f0
-
SHA1
31f11ef93b4a2d28a6445090128e37c32a58661c
-
SHA256
38f4b04c7fe1ce4d8ce9e43eb0df87bdb03c0f3b432daa8670be4750bab542b6
-
SHA512
76c82f89813b8e2e40a90b2347a971599a5afbf7a0484c99b74a3ddcb3cdeb330b94b9efbb111159603a17f64f8621ecbffa90c1c0c8c4fded469e0575044538
-
SSDEEP
49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 63 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2624 schtasks.exe -
Processes:
csrss.execsrss.execsrss.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.execsrss.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Processes:
resource yara_rule behavioral1/memory/3028-1-0x00000000002A0000-0x0000000000586000-memory.dmp dcrat C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\audiodg.exe dcrat behavioral1/memory/444-229-0x0000000001020000-0x0000000001306000-memory.dmp dcrat behavioral1/memory/912-282-0x0000000001090000-0x0000000001376000-memory.dmp dcrat behavioral1/memory/2160-306-0x0000000000060000-0x0000000000346000-memory.dmp dcrat behavioral1/memory/880-318-0x0000000001360000-0x0000000001646000-memory.dmp dcrat behavioral1/memory/2920-354-0x00000000002C0000-0x00000000005A6000-memory.dmp dcrat behavioral1/memory/1820-368-0x00000000011E0000-0x00000000014C6000-memory.dmp dcrat behavioral1/memory/3000-377-0x0000000000120000-0x0000000000406000-memory.dmp dcrat behavioral1/memory/2112-385-0x0000000000E00000-0x00000000010E6000-memory.dmp dcrat behavioral1/memory/2480-400-0x0000000000110000-0x00000000003F6000-memory.dmp dcrat behavioral1/memory/1728-409-0x0000000000B20000-0x0000000000E06000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1856 powershell.exe 2388 powershell.exe 1872 powershell.exe 1552 powershell.exe 2372 powershell.exe 2832 powershell.exe 2904 powershell.exe 2628 powershell.exe 2504 powershell.exe 2604 powershell.exe 328 powershell.exe 2360 powershell.exe 752 powershell.exe 1664 powershell.exe 1544 powershell.exe 1608 powershell.exe 2464 powershell.exe 2736 powershell.exe 1628 powershell.exe 2584 powershell.exe 2484 powershell.exe 1216 powershell.exe 2456 powershell.exe 2768 powershell.exe -
Executes dropped EXE 16 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exepid process 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 444 csrss.exe 3064 csrss.exe 912 csrss.exe 2668 csrss.exe 2160 csrss.exe 880 csrss.exe 2632 csrss.exe 1660 csrss.exe 2920 csrss.exe 1820 csrss.exe 3000 csrss.exe 2112 csrss.exe 1296 csrss.exe 2480 csrss.exe 1728 csrss.exe -
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe -
Drops file in Program Files directory 23 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Windows Defender\taskhost.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\42af1c969fbb7b d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\smss.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\taskhost.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\ja-JP\6cb0b6c459d5d3 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\Idle.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\dwm.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\69ddcba757bf72 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Java\Idle.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Java\6ccacd8608530f d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\ja-JP\dwm.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\RCX1F37.tmp d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\0a1fd5f707cd16 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\f3b6ecef712a24 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\b75386f1303e64 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\audiodg.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\audiodg.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\smss.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\RCX1B2F.tmp d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe -
Drops file in Windows directory 10 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\Registration\CRMLog\wininit.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Windows\TAPI\886983d96e3d3e d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Windows\TAPI\csrss.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Windows\Registration\CRMLog\wininit.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Windows\Registration\CRMLog\56085415360792 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Windows\Registration\CRMLog\RCX1D33.tmp d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\42af1c969fbb7b d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Windows\TAPI\csrss.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 63 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1756 schtasks.exe 2056 schtasks.exe 2356 schtasks.exe 2800 schtasks.exe 636 schtasks.exe 2424 schtasks.exe 2940 schtasks.exe 2660 schtasks.exe 2580 schtasks.exe 2528 schtasks.exe 1348 schtasks.exe 2428 schtasks.exe 1984 schtasks.exe 2992 schtasks.exe 1432 schtasks.exe 3036 schtasks.exe 2780 schtasks.exe 2012 schtasks.exe 2144 schtasks.exe 1204 schtasks.exe 2672 schtasks.exe 2844 schtasks.exe 2268 schtasks.exe 2492 schtasks.exe 1732 schtasks.exe 2576 schtasks.exe 1640 schtasks.exe 1140 schtasks.exe 2200 schtasks.exe 2092 schtasks.exe 396 schtasks.exe 476 schtasks.exe 2508 schtasks.exe 1020 schtasks.exe 236 schtasks.exe 2396 schtasks.exe 2764 schtasks.exe 2456 schtasks.exe 2164 schtasks.exe 1780 schtasks.exe 1876 schtasks.exe 2148 schtasks.exe 2328 schtasks.exe 2792 schtasks.exe 2704 schtasks.exe 1524 schtasks.exe 1852 schtasks.exe 1016 schtasks.exe 2648 schtasks.exe 1996 schtasks.exe 2396 schtasks.exe 556 schtasks.exe 1480 schtasks.exe 1568 schtasks.exe 1520 schtasks.exe 2532 schtasks.exe 1860 schtasks.exe 2560 schtasks.exe 1516 schtasks.exe 2840 schtasks.exe 2916 schtasks.exe 1868 schtasks.exe 2588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exepid process 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 1216 powershell.exe 1552 powershell.exe 2372 powershell.exe 752 powershell.exe 2388 powershell.exe 1608 powershell.exe 1856 powershell.exe 1872 powershell.exe 328 powershell.exe 1664 powershell.exe 1544 powershell.exe 2360 powershell.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 2736 powershell.exe 2456 powershell.exe 2464 powershell.exe 2628 powershell.exe 2484 powershell.exe 2584 powershell.exe 1628 powershell.exe 2504 powershell.exe 2832 powershell.exe 2604 powershell.exe 2768 powershell.exe 2904 powershell.exe 444 csrss.exe 3064 csrss.exe 912 csrss.exe 2668 csrss.exe 2160 csrss.exe 880 csrss.exe 2632 csrss.exe 1660 csrss.exe 2920 csrss.exe 1820 csrss.exe 3000 csrss.exe 2112 csrss.exe 1296 csrss.exe 2480 csrss.exe 1728 csrss.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription pid process Token: SeDebugPrivilege 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 752 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 1872 powershell.exe Token: SeDebugPrivilege 328 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 444 csrss.exe Token: SeDebugPrivilege 3064 csrss.exe Token: SeDebugPrivilege 912 csrss.exe Token: SeDebugPrivilege 2668 csrss.exe Token: SeDebugPrivilege 2160 csrss.exe Token: SeDebugPrivilege 880 csrss.exe Token: SeDebugPrivilege 2632 csrss.exe Token: SeDebugPrivilege 1660 csrss.exe Token: SeDebugPrivilege 2920 csrss.exe Token: SeDebugPrivilege 1820 csrss.exe Token: SeDebugPrivilege 3000 csrss.exe Token: SeDebugPrivilege 2112 csrss.exe Token: SeDebugPrivilege 1296 csrss.exe Token: SeDebugPrivilege 2480 csrss.exe Token: SeDebugPrivilege 1728 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exedescription pid process target process PID 3028 wrote to memory of 1856 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1856 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1856 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 2388 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 2388 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 2388 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 328 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 328 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 328 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 2372 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 2372 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 2372 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 2360 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 2360 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 2360 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1552 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1552 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1552 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1608 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1608 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1608 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1544 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1544 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1544 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1216 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1216 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1216 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 752 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 752 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 752 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1872 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1872 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1872 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1664 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1664 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 1664 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 3028 wrote to memory of 2276 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe PID 3028 wrote to memory of 2276 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe PID 3028 wrote to memory of 2276 3028 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe PID 2276 wrote to memory of 2736 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2736 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2736 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2832 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2832 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2832 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2604 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2604 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2604 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2504 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2504 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2504 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2464 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2464 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2464 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2768 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2768 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2768 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2628 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2628 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2628 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2484 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2484 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2484 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 2276 wrote to memory of 2584 2276 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe -
System policy modification 1 TTPs 51 IoCs
Processes:
csrss.execsrss.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:444 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a93c7b6-ac4d-4870-8af3-328881bcfafe.vbs"4⤵PID:2360
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3064 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58841f22-3d73-4b6e-a4a6-ab525bc45f0e.vbs"6⤵PID:2356
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:912 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2d11e73-8da2-4a25-ab38-6403449807c5.vbs"8⤵PID:2148
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2668 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13fe7019-3bc8-466d-8e1f-ebef01ffa290.vbs"10⤵PID:1720
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2160 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9cc5cd7-f67f-4691-bf64-70ac7f6dd3e9.vbs"12⤵PID:2096
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86bb8f8-f0d8-437e-b511-777f2844f73f.vbs"14⤵PID:2272
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1700c1c5-da40-4e9f-8cd3-b1f4b9869049.vbs"16⤵PID:2796
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1660 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fe1d5f0-59fb-47ea-9185-ae5c6879e41e.vbs"18⤵PID:2740
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2920 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94594930-425e-4aae-b1c4-5c3b630cc984.vbs"20⤵PID:568
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1820 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81cfd0a2-1065-453b-8223-59e65b9c17c5.vbs"22⤵PID:1540
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f837037d-b20e-4256-9b3b-38f5f14904a7.vbs"24⤵PID:1040
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3d6944f-1674-4ec1-93ec-6a5116ee0af4.vbs"26⤵PID:1608
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"27⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1296 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e03093a-705c-4408-8c77-b59452ae7856.vbs"28⤵PID:1516
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"29⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2480 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd4e3bf4-d255-4d36-88d7-9c54be2db269.vbs"30⤵PID:1216
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe"31⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1728 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a49a1fdb-a53d-474b-a1f8-ac5958359b8e.vbs"32⤵PID:352
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dbfb6d8-b81d-470b-a15b-f474171c9da0.vbs"32⤵PID:1512
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\449afc26-8060-4c18-ae66-688447279ce7.vbs"30⤵PID:1640
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d03b0ba6-419c-4d53-b5ec-337479567b95.vbs"28⤵PID:1900
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bdfc040-1b4a-447d-bc10-5158df39457e.vbs"26⤵PID:1896
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\706cef54-b753-4de2-9292-9ea33929f3a4.vbs"24⤵PID:2060
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c4a74bf-94fd-4e26-a305-072a79eb70ff.vbs"22⤵PID:2096
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\691352a9-10eb-43e6-9d06-51dcfe5c423d.vbs"20⤵PID:2108
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ea3412b-15ca-496a-a287-7cbbd8e7d240.vbs"18⤵PID:2616
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\369e4250-a7ac-4ad4-891b-e85be65e3460.vbs"16⤵PID:1844
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81b2cc72-825e-400e-8457-2c216f2b6fba.vbs"14⤵PID:1572
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b338f91e-6624-4cb0-908e-bc573309519a.vbs"12⤵PID:752
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93682006-16f6-47fb-9f95-29c740cb8d86.vbs"10⤵PID:1140
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4ad9304-06b9-4784-b16c-2577d0b70c10.vbs"8⤵PID:3040
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ff1e457-dcf9-4e90-be64-510a2cd45242.vbs"6⤵PID:1648
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41bf44bd-5445-4bc6-988b-862123bbcca8.vbs"4⤵PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5d22bc2c281eda0bd630673443da3d2f0
SHA131f11ef93b4a2d28a6445090128e37c32a58661c
SHA25638f4b04c7fe1ce4d8ce9e43eb0df87bdb03c0f3b432daa8670be4750bab542b6
SHA51276c82f89813b8e2e40a90b2347a971599a5afbf7a0484c99b74a3ddcb3cdeb330b94b9efbb111159603a17f64f8621ecbffa90c1c0c8c4fded469e0575044538
-
Filesize
753B
MD5f0f692110f440ef70052432a8e26911c
SHA1cdacd17e280855d2ffbe9bb1c72be5d5795fa6d3
SHA256c48c55a5ada909253f528db7b4e4cc132c139e08a30cfa682067b980e79b512e
SHA512e2c0a6be4f6e12fd3256a83651760640c1742631539f374c8807c4b12decb0d9072c002b5ec0d97dcc4f1083cb0491862017dfdec974f477482b3f16ffc56f9f
-
Filesize
753B
MD5beee16c7fe794c84d9101cf2710f0498
SHA1dd981408fbe1bf52de0c449c08cf49749194cdb7
SHA256dd875c8d9720772b3ee1d008b364654623cf172471d7b192a2150d180114b4e6
SHA512e233268d962e9076c7a75cb90f667cfcc03bca0d0dd68a6b4a0cdf3f7d7e958039f5a283b03a71a3bd9a2b05738d4da2dbabb7b8a30352f8c4d945d86845aa97
-
Filesize
753B
MD53e276b75a871045679c3f39be36e671a
SHA1e256fd95f4be9bc91ea757ecc0c9ea004566c0f0
SHA256107e2acae02aa8c7cfec2c7a2a2529838a42564ffbb4e95d1bf9edcc4c33eda1
SHA512c7a49b41c23293682069b2fb761c1a53bcce89f946da4fdff6141fc578fa4e6ce666d265b43e6b2bbdb13d5ee37bd4b631f57a516a2d0097a99db58eda2e0344
-
Filesize
529B
MD5c44a822f2e2464eba75415e6228b1f33
SHA1c8dc5f576cbd350cf5018d2d3efee53d18845e11
SHA2562d236093e56cd743e4a738b0daf527a9a291b1c4d7c1825e343abb1bf3a3b0de
SHA5124231f199a4c89a83560bfc07c78deb68933374f6ba8baf0dfaabc164cb397e239244189afa67a7890dded471029c5346ade9110daa8f37d79326b1976ba024d5
-
Filesize
753B
MD5ed92b37de420a766fbc39387ef819df4
SHA1d067d36b0cdce278655c779671f186822ff4a080
SHA256a8733a142866400bdf776fc8f9b1b1a3612aad3e4737c4212263acfc7a1d690f
SHA5128131ae6b019ceb07f8a45c5bad2284762e0f66ef96fae8c48486c187f843175ede74679b429607e148c662514d7fd7896a371e986a03218cc2a6569b2cf100ac
-
Filesize
752B
MD52178a413a98f735434c55600b7b5a7a9
SHA14791127168ac1c5f1f33f1139245236fdba95816
SHA256b02597a8ef51fea020cb503762688d48e503223599242191ffad3693093c9613
SHA512dfaebd9570636ff2a37b962658e7a18cb7417093aafdb5d1c8b1161f2f5d64f3f6a9891406c658db89a630ccf7aeeca544278773b062e97d2787c2255b067247
-
Filesize
753B
MD5834f76a6b12533a1a82b63d3ff63c5ef
SHA131a174bdcc0181d765b9c3701cc5fee6a0f1db5d
SHA256a6fc4df3bd3dfbab320f07c7e53c34c5bbe793d561a4ed50044200427e15c141
SHA512c19dbfea875c2ca8b6168529a65daf5a5d748845f853fbc201af9e86507ff35ab9a221ade33dfab4b07e6ca32e5ec310c6468b3889edfc5fe845ae8798a8718f
-
Filesize
753B
MD514f699c17a6654b9d2f5a61bb64649a6
SHA1dacac4226c8394f9bbcb5e496375e5ed2a4a01eb
SHA256adb390a019cad776774d1121df12143e9b21ed63295b3b7425f61284ebf1c068
SHA51299f5fc3d999516891dd6fd1f948638ba22a407db06e1cbee42e675153863b4455af5fe0c83cddcc342ed55305ce1941c0bcd0243aee828c02fcadd034d724fb5
-
Filesize
752B
MD570eab4cbdd523457cfeeedd0622e4233
SHA1020e6d20c2ec18900423c0459cff60054c8ac84b
SHA256d263433405144987f585601206ba70e6c96fd5844186faa0127edd107583f495
SHA512029cf8ca39fa130cee360e84ba38aabbe3780c9f46225d2aadd997bf405d1c1c70ca0f00759947f41d44e6eb8f4fc2a1977146f4bf29f006b77a6df0dd8901b6
-
Filesize
752B
MD592f5a975376c058a97d1487907c24105
SHA12f4d926664bca993447d310b0fd4ff7f54a501aa
SHA2562e6d8b171b6aa21d93b175d00b1080cd400556a464ab09b41afff065c45a96ed
SHA512a4c478212987f1f4c330816eefbf88edce78b3251c56f19f8863e3b2ca21135f9c1d755cbeccfddac409b5d56ed362ab565c1eb725bb318050bdfe70f4117476
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD511bc0d56feef9b0674f8bdf4879531b9
SHA194feac00eecef04ab4e7a2b80b308d68afbc1bf3
SHA256a18922e9fe2d46203e0f7b4c37003c3d60f975487ba167d2c80e7e8e9e9b3dbe
SHA51235a27c9f11055431f18587e2a3d986c00ae9bc4e88c61c621ba424a32385a718b9476a9c0e37f5255b4d1bc9905490fcb6ff4ddf3a29ee11b3b096f80cf26a44