Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 10:15
Behavioral task
behavioral1
Sample
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
da302f8b90f36acd84743c7639d4e0d0
-
SHA1
f8fdb617872a6f31fc21b7d7826efba0651077a4
-
SHA256
a22fcf8eea502fd77a86507ef856f97512aeed2006a0d79f122850f5d14dcf9b
-
SHA512
cb2392bfd6277ba436ccf0421baccbae4f2b6ef2ecbcd2c72c95de2e3a820a212cd9c7d3662795290341d9c285e75a8a2111fda8bb1ec296a9772689a9af9646
-
SSDEEP
98304:msmfE8eD0M782w1JSdvi199xP9/ecsFjPSz:mQNBY2S99xl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 712 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2684 schtasks.exe -
Processes:
dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exeda302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe -
Processes:
resource yara_rule behavioral1/memory/1620-1-0x00000000012F0000-0x000000000162C000-memory.dmp dcrat C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe dcrat C:\Program Files\7-Zip\Lang\csrss.exe dcrat C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe dcrat C:\MSOCache\All Users\dllhost.exe dcrat C:\ProgramData\Adobe\Updater6\lsass.exe dcrat C:\Users\Default\Music\RCX4586.tmp dcrat C:\ProgramData\Microsoft Help\lsass.exe dcrat behavioral1/memory/1260-322-0x0000000000E60000-0x000000000119C000-memory.dmp dcrat behavioral1/memory/992-333-0x00000000010A0000-0x00000000013DC000-memory.dmp dcrat behavioral1/memory/1812-345-0x0000000001260000-0x000000000159C000-memory.dmp dcrat behavioral1/memory/1280-369-0x00000000002C0000-0x00000000005FC000-memory.dmp dcrat behavioral1/memory/2480-381-0x00000000011B0000-0x00000000014EC000-memory.dmp dcrat behavioral1/memory/1676-406-0x0000000000080000-0x00000000003BC000-memory.dmp dcrat behavioral1/memory/2764-419-0x0000000000250000-0x000000000058C000-memory.dmp dcrat behavioral1/memory/2936-432-0x00000000000C0000-0x00000000003FC000-memory.dmp dcrat behavioral1/memory/2760-444-0x0000000000B90000-0x0000000000ECC000-memory.dmp dcrat behavioral1/memory/2268-457-0x0000000000EA0000-0x00000000011DC000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2920 powershell.exe 836 powershell.exe 2860 powershell.exe 2812 powershell.exe 2816 powershell.exe 2424 powershell.exe 688 powershell.exe 2052 powershell.exe 340 powershell.exe 2428 powershell.exe 2200 powershell.exe 1696 powershell.exe -
Executes dropped EXE 12 IoCs
Processes:
dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exepid process 1260 dllhost.exe 992 dllhost.exe 1812 dllhost.exe 2576 dllhost.exe 1280 dllhost.exe 2480 dllhost.exe 928 dllhost.exe 1676 dllhost.exe 2764 dllhost.exe 2936 dllhost.exe 2760 dllhost.exe 2268 dllhost.exe -
Processes:
dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exeda302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe -
Drops file in Program Files directory 20 IoCs
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\RCX2E0B.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\RCX393D.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\es-ES\RCX3B40.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\es-ES\RCX3BAF.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\wininit.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\886983d96e3d3e da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\TableTextService\es-ES\886983d96e3d3e da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\RCX393C.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\csrss.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\wininit.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\csrss.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\56085415360792 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCX4A1B.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCX4A1C.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\886983d96e3d3e da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\csrss.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX2E79.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\csrss.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exedescription ioc process File created C:\Windows\Fonts\27d1bcfc3c54e0 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX32B0.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX32B1.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\System.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Windows\Fonts\System.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2184 schtasks.exe 1540 schtasks.exe 320 schtasks.exe 2440 schtasks.exe 1984 schtasks.exe 2052 schtasks.exe 2200 schtasks.exe 712 schtasks.exe 3016 schtasks.exe 2480 schtasks.exe 1960 schtasks.exe 2352 schtasks.exe 2180 schtasks.exe 2760 schtasks.exe 1380 schtasks.exe 1980 schtasks.exe 2172 schtasks.exe 3036 schtasks.exe 2300 schtasks.exe 2720 schtasks.exe 1224 schtasks.exe 2404 schtasks.exe 2588 schtasks.exe 2880 schtasks.exe 1280 schtasks.exe 352 schtasks.exe 1768 schtasks.exe 2872 schtasks.exe 2216 schtasks.exe 2204 schtasks.exe 2536 schtasks.exe 1860 schtasks.exe 1776 schtasks.exe 484 schtasks.exe 2044 schtasks.exe 1036 schtasks.exe 2096 schtasks.exe 1608 schtasks.exe 900 schtasks.exe 2996 schtasks.exe 1624 schtasks.exe 1120 schtasks.exe 2356 schtasks.exe 1808 schtasks.exe 1936 schtasks.exe 448 schtasks.exe 1736 schtasks.exe 2680 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exepid process 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 2860 powershell.exe 688 powershell.exe 340 powershell.exe 2920 powershell.exe 2052 powershell.exe 2428 powershell.exe 1696 powershell.exe 2424 powershell.exe 2200 powershell.exe 2816 powershell.exe 2812 powershell.exe 836 powershell.exe 1260 dllhost.exe 1260 dllhost.exe 1260 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedescription pid process Token: SeDebugPrivilege 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 340 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 1260 dllhost.exe Token: SeDebugPrivilege 992 dllhost.exe Token: SeDebugPrivilege 1812 dllhost.exe Token: SeDebugPrivilege 2576 dllhost.exe Token: SeDebugPrivilege 1280 dllhost.exe Token: SeDebugPrivilege 2480 dllhost.exe Token: SeDebugPrivilege 928 dllhost.exe Token: SeDebugPrivilege 1676 dllhost.exe Token: SeDebugPrivilege 2764 dllhost.exe Token: SeDebugPrivilege 2936 dllhost.exe Token: SeDebugPrivilege 2760 dllhost.exe Token: SeDebugPrivilege 2268 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.execmd.exedllhost.exeWScript.exedllhost.exeWScript.exedllhost.exedescription pid process target process PID 1620 wrote to memory of 688 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 688 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 688 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2920 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2920 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2920 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2052 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2052 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2052 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 340 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 340 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 340 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 836 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 836 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 836 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2860 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2860 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2860 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2428 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2428 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2428 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2424 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2424 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2424 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2816 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2816 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2816 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2812 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2812 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2812 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 1696 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 1696 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 1696 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2200 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2200 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 2200 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 1620 wrote to memory of 560 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe cmd.exe PID 1620 wrote to memory of 560 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe cmd.exe PID 1620 wrote to memory of 560 1620 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe cmd.exe PID 560 wrote to memory of 2660 560 cmd.exe w32tm.exe PID 560 wrote to memory of 2660 560 cmd.exe w32tm.exe PID 560 wrote to memory of 2660 560 cmd.exe w32tm.exe PID 560 wrote to memory of 1260 560 cmd.exe dllhost.exe PID 560 wrote to memory of 1260 560 cmd.exe dllhost.exe PID 560 wrote to memory of 1260 560 cmd.exe dllhost.exe PID 1260 wrote to memory of 2904 1260 dllhost.exe WScript.exe PID 1260 wrote to memory of 2904 1260 dllhost.exe WScript.exe PID 1260 wrote to memory of 2904 1260 dllhost.exe WScript.exe PID 1260 wrote to memory of 2180 1260 dllhost.exe WScript.exe PID 1260 wrote to memory of 2180 1260 dllhost.exe WScript.exe PID 1260 wrote to memory of 2180 1260 dllhost.exe WScript.exe PID 2904 wrote to memory of 992 2904 WScript.exe dllhost.exe PID 2904 wrote to memory of 992 2904 WScript.exe dllhost.exe PID 2904 wrote to memory of 992 2904 WScript.exe dllhost.exe PID 992 wrote to memory of 1872 992 dllhost.exe WScript.exe PID 992 wrote to memory of 1872 992 dllhost.exe WScript.exe PID 992 wrote to memory of 1872 992 dllhost.exe WScript.exe PID 992 wrote to memory of 536 992 dllhost.exe WScript.exe PID 992 wrote to memory of 536 992 dllhost.exe WScript.exe PID 992 wrote to memory of 536 992 dllhost.exe WScript.exe PID 1872 wrote to memory of 1812 1872 WScript.exe dllhost.exe PID 1872 wrote to memory of 1812 1872 WScript.exe dllhost.exe PID 1872 wrote to memory of 1812 1872 WScript.exe dllhost.exe PID 1812 wrote to memory of 2160 1812 dllhost.exe WScript.exe -
System policy modification 1 TTPs 39 IoCs
Processes:
dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exeda302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\975DOJvBwA.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2660
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1260 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e2015e1-9de3-40d9-9498-5d86330c1ffe.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:992 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44147dcb-cc2f-494a-bff0-d297e8ab25e0.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d29ded-b1be-4ae0-bd66-9934a6581e61.vbs"8⤵PID:2160
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2576 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff2f51e7-6311-4120-8bb4-8f30828e7a97.vbs"10⤵PID:1704
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1280 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c327601-3250-4502-8e78-7786749bbcb7.vbs"12⤵PID:760
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2480 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ce8f7a-d2ab-43af-a77d-8256a62ab62a.vbs"14⤵PID:1940
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\731d4967-d31e-4e8c-b242-92bb7dbca494.vbs"16⤵PID:1192
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7104dc35-1082-4716-b98f-7e4dff457c03.vbs"18⤵PID:2460
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2764 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77b8499b-8f07-4007-bea7-7851fdfa0d67.vbs"20⤵PID:2240
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2936 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b657a66-38ba-4374-a469-85bc2c251b46.vbs"22⤵PID:1556
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2760 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba88df0-dab3-4108-aa84-9b58efd0ae1b.vbs"24⤵PID:1768
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2268 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5239759f-5e77-4774-9bf0-9fe579501fcd.vbs"26⤵PID:1676
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53446691-205b-4738-8a61-40ebb282f6b4.vbs"26⤵PID:2564
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80184ac8-f4b9-4973-abf2-e7ff331e66e7.vbs"24⤵PID:2736
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a457c264-2664-4c57-a35e-49a08c13bb81.vbs"22⤵PID:1344
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c648ebf5-09dc-4422-81c0-4755c483dc88.vbs"20⤵PID:1656
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a5c7089-e6e0-4386-a2fc-61c1135d123c.vbs"18⤵PID:1268
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78583bdd-3533-4700-adbd-674fdea49726.vbs"16⤵PID:340
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60a0e82b-7917-479f-9d33-1bbebd8d23ae.vbs"14⤵PID:2904
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0beb8ac1-dd4c-4efe-9683-8cff200e0ee5.vbs"12⤵PID:2352
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0993398-6304-4cdf-8a68-72091d68a8fd.vbs"10⤵PID:2676
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eeb865e-d19e-4d63-b214-22ec8dd9b50d.vbs"8⤵PID:3040
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd685df6-6b82-45f0-94f0-cf05269c4931.vbs"6⤵PID:536
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9995948e-2435-48e8-9432-61a8c13d89f3.vbs"4⤵PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "da302f8b90f36acd84743c7639d4e0d0_NeikiAnalyticsd" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "da302f8b90f36acd84743c7639d4e0d0_NeikiAnalyticsd" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Music\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5b528a71c2481671646f860dc135a024d
SHA14cb24f495e7dce7bcae557aa4913d4195c53f63a
SHA256748ed4d86d6bcb4b227dbf7ecb7ace18c2e6b7c908606f66be3381d6ea52c4b5
SHA5122bfc97bd9ba092b7378908ed4bb7811c679d5503f92e7a98657717edc14a95611f0145d3e0786de625f3d7fb8ab0247070ffce4261e0694b2abb40385f40572a
-
Filesize
3.2MB
MD56027e1528af2f4aed482e4edd058f1d0
SHA1809db11e8b38db7a283ffd284d88b25f2ef32209
SHA256695cc40b67b0ea5c6a4c9e9fb432beffbd8ae8a32cc922235e60e4c19271a296
SHA51260cbbd68fa220a067252fdca36c7ad96f00fda8676c4432d2bff5a5df686a4f757c5094bbaf0b25c8686eda366af2a7a0c6c67c1ba13cf3cee90acd58fe7e536
-
Filesize
3.2MB
MD58df05a7afeb24bfed11bdb7b8ee9d835
SHA1c9b79f99f256ace051d271cb9f7ae318a97f0e8e
SHA25664f8f1e12627588718136a1fc129060de5ba18670ca0528d2994d9fdd2fc9e01
SHA512176c0f696d7994d4c5cb5971157aeaa0881420811bbc58654bcc1e6ee9b5b4435080752672f6f4f3cd7f10d6c1fc5d679fbe6a3c85784dd65aa2ad1c73b3fd23
-
Filesize
3.2MB
MD5abd23823f040833e541d2388d92643be
SHA10bddfd22e71d8b700815123d3596d0922f5a55cd
SHA256b5914f66fa2ba100d6b53e5e8dacd7f7b604ee3cf1719b2f81a43e874fbac7ef
SHA512060745e473acd01759b7329d2a7a737272bb9c827d29e15c2fd952267ed84576c90a7a5a4f5519c7828a392ffe570aba3b10cc9633343319ae57f988afc81e8b
-
Filesize
3.2MB
MD51b0cd3fdaee291313ed947fedc264c02
SHA1c32b5afdf5e2dfa594cb18a9de7855076e202cbb
SHA256ed4ed2267d6e48b2f3d1127a258c6fb8566824a93b241586bc65b6a0f25cad7c
SHA512537264646a50262cf0cef79941673ef5beee260e98a1d2a200604f9aa8936dbdc4b195f923d1a049e33735f0c71313b778daad926383904424d8467f18f5cb8f
-
Filesize
3.2MB
MD5da302f8b90f36acd84743c7639d4e0d0
SHA1f8fdb617872a6f31fc21b7d7826efba0651077a4
SHA256a22fcf8eea502fd77a86507ef856f97512aeed2006a0d79f122850f5d14dcf9b
SHA512cb2392bfd6277ba436ccf0421baccbae4f2b6ef2ecbcd2c72c95de2e3a820a212cd9c7d3662795290341d9c285e75a8a2111fda8bb1ec296a9772689a9af9646
-
Filesize
709B
MD56fa848df25aa5fa0c527713c570829f6
SHA194e8a0815da30796a421e965a32d335330b4570f
SHA2569f05a5224a195a89ac803d85dd7f553d5aec45a26e4275612f19e68b93a958a3
SHA51254e6fceec03681fae00197b8b5278f20aeaeb50db7a4dccb183fee2b57941142ed7d57000981c360ae70c6eaca80f5d6697e18b7a03e505b2fdba21773153d2a
-
Filesize
708B
MD59a80baf0c7948520c1ce3d9759413ebc
SHA1792dfbead5ceb1aa8c88d6b1cf96e4d37b279afe
SHA2561c6222f5efcbf7d3488f266e997770e3e0a13a8527b8fa68e1f4e9e8e784e6fb
SHA512b1c823d7a5a5bd8cbbb08179a6693bba277c4ecc90058f08eefa35a65ff7c62b15ad71fe01a29d5bc55267f21d37b5f1074a9693f1274808246dda7b0b8ebdeb
-
Filesize
709B
MD5ea6d199cb3b78accf256018571cc6d33
SHA1832cc1113e6074151147cb6cf3caec8ca26f5878
SHA2564c50e37553760fdde86e45493e77b922807cb69b62aed1f9c78a8f6a5b40e391
SHA5127d5999e850fd65be2a552ba2f54314c1baedcaa3bc8da0269b3231311630358200814a4d56a521370ff4c6f2fe7e70e6892342824fecd539085bdaee4c4d2450
-
Filesize
709B
MD5539f0e1906b9ab4b4806ee993df8fb40
SHA10f7299c8b54361c24e6dfecadf31af76d75a32f0
SHA256997ce0b447e876370107e3c56fed7180864e0cc408a49429338ac3ac0e962f35
SHA51205c295c5766ae341cf49f03734c037f5bb4c40ce8290ba08fd411e271a8b6ccebb5b39d94736f69c8cc85c91f8dbe0926ae88bc6ecdb758df9d54bc34c2273ce
-
Filesize
709B
MD534010b0d25249015693f72e88a82fd48
SHA16810b28d142e96b22b9bc2628ee43a6dd8d56abb
SHA2562ff3d5539223f7fe9ce71f4de841393f321f5902beb3249ae8c8dd154f2d1a6e
SHA51254d878f6bf44b216438bf74bb0387229c165a210139880739a49b5c7cd87847a39645b0f9724dbc1c94514f099d18a52c824a0da465386da5ac0f4e38df15d1a
-
Filesize
709B
MD54b308412cc615a1467d436dd87f36dc2
SHA17ed2611357f54dcdde32407ceb5da1763fb83de0
SHA256d89509da03abb6b03c87ae00109ac25a73de58ba80bb5a96410caa4ac6c84a76
SHA512f3009ae8772ac58fb8ff4368c4bd2ccba266c2afe76bd9353edabefd99769c617435a7c47939adf866d0463f601da0c1e10604ed454a884ee47c7dec1c5e8ed9
-
Filesize
708B
MD5c8f230ade386ac9781daafe8826e8483
SHA1901607a8a106006771517728318e9ebddfb35aba
SHA256554cf0a3c31460b65eb085369659f341f3d51b7882b988a0a311322938158405
SHA51241154b1bba1dab378841e8683a6b033493947420594b59f126d538e9619cf7d282e56c6b0c27dbb5efd3ff4bb0820140422bfa77aab3a0b644d9c78ba01b2e7d
-
Filesize
709B
MD56e44c75178e5170640666480dc857337
SHA1b06501084da1b7afde1d069e2eb73bf60f8d9d93
SHA256fd30b7d9c58f3784b646e5e3d66c1cece7f1cc933a771b943c44574adc5ffa69
SHA51266617ff6fb015d54a55f00a15ffcb06520194d7bc45fd68f17b747aec910cd16b5b8b12560f13100b7c047f140eb017dbe7e79ebe8943e70974044c5d5216cdf
-
Filesize
198B
MD5cb504a7e7f6623c5e851387d470ba840
SHA1c36ad8b77b05da771eb8c1aa3dd83d9353e1e628
SHA256650bfba7cc8044cd48bb463f833ecf7ea2040fa25deb594e5af3d52cb5fac204
SHA5121db39a55e075489c375fba836f3bcd426a7ccb4d9a20a375b54e12e7783a1db66a24a83da148348640208dc970752fbd0e4a453155fc23122167f25dccf66d31
-
Filesize
485B
MD56bebb880bc70b375b28d1267815307fc
SHA12c03243d17a8c15423c80cfd4941f5020a232f86
SHA25685c395ace4aa90777846f8921c72ee2cd747b68ce2a7a32061d8dc77c67d28a9
SHA512db016ca7c535b89e58135061fab52e957ef75ec4ce31575980a8ddb74a3b82eacc9bc30d03b9778473937123c1d55400da1e79c37848c99a2307de772000a743
-
Filesize
709B
MD5b0fd80aa93075a62a815e5ae0ef4ed69
SHA12e8703ec3dc9fa169da6c2ac87d8a01b6dd1c45b
SHA256c64ffbdf0946cb4e0a46063c29b5e79a67e69829044d7d72f8b31c9258b813d9
SHA5128aa0dbceba11eaba5c2903a35b1cec84ff1fc058fc1d7877627d1352f60b74cc231afd99503a445199077d18021bc1667d9658480c348160324db101d9a8b730
-
Filesize
709B
MD51cce540aa564efff482e0b7bb0e9416a
SHA1743718d05ffa086740305046c24cc383890c7ffd
SHA25634f00fe6ed3154a7b1f933c8247454ffa93fc43e980b7dcf18b03141ffabba6e
SHA512080cfbce3aab9aac447d7e93c30f249b0b0d109eb4ba0da52b677b2bd5abe08a3e9dc363100d0b545d0221c098cf3c5d0c35a57375bda34fc94b36a31eb8d57b
-
Filesize
709B
MD5296b5566df2f295ab2228eac2c8718c0
SHA1cf515aeccc1f0dd0d8ff1c580d5079259e0d17cf
SHA256eb6ffb4ce993b12f5d20d67923e1abc7de4daa188a687e67140cb87d9316ec1a
SHA512d568346a1eecb51cef06dea705607714bba5e73d851073a821f3f77bfae867ad829f3a398b4c49277636a3519e29d205f749048c1931454e6d63e1718e1b134e
-
Filesize
709B
MD539f13f67821e107c5bb7439016a24bfb
SHA127e07b96d179c81602e738d06b93a31ad9711ac2
SHA256360f2c3d836e9c82e4aebd95fd1490407688b829a28739efc1c7b2a42742d50f
SHA51206d7ad462a20602fbbfbd55e78f04c2e32bd32ec94307e65b08b9eb8f1a34b9f1b769ceabe94eee2c060f888648b70ae636fafacbbba971baf27bbe1ef404796
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f1668cae22f749bf0ad19f25479f0569
SHA1958111a610c26f39fb0af8aadb07962d8ac9c6c1
SHA25668bd4da53a2c45d2587cc562c5c300e322b0577ada05844624c2d168efdf8cfc
SHA512a183f5a4a05528e57989421a932cc1e719084bd521867f1a0897c3d6d36045c373694caad1b6518ede37c838d4482b292dca9ceed41f242d883c3fce2c10edea
-
Filesize
3.2MB
MD58a769600a2f9fca385bbc608fac9ce5c
SHA17cb96efa050b4ce4069e59368207448308960fa4
SHA2567fcc94712003093d6350e47b0b4cdb2703b281eacfb9222ec588483caeef6c2f
SHA512c40ec8a56de495451e0b3d9a481bbbed093fa4fa15dfa8664f26ab6403c8b6389883e7f4d26ff31ba48a665c2580a5a15d716a6016f195a64d1043769d391a9f