Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 11:17
Behavioral task
behavioral1
Sample
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
dc4a687b17405db35530af6aa40cd2b0
-
SHA1
acaeb4c374b0e1b55e7891cf5e20498e3b9cdd88
-
SHA256
3f40b000017400edfb42a468c94ce03625a7003a238fae61929f20ee35c67f44
-
SHA512
620ce4b0a8673598dd5975a8b304eeaff6eab85084a39d5a46efcf3b209b8f51a1eb8d81d5c6709e1ec5e67b913b9534ff440d5784aa03662cbdabb105a47487
-
SSDEEP
49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2308 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 2308 schtasks.exe -
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Processes:
resource yara_rule behavioral1/memory/1860-1-0x00000000008D0000-0x0000000000C0C000-memory.dmp dcrat C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe dcrat C:\Program Files (x86)\Common Files\csrss.exe dcrat C:\ProgramData\Microsoft\Windows\Templates\audiodg.exe dcrat C:\ProgramData\Microsoft\csrss.exe dcrat behavioral1/memory/748-241-0x0000000001270000-0x00000000015AC000-memory.dmp dcrat behavioral1/memory/2344-264-0x0000000000380000-0x00000000006BC000-memory.dmp dcrat behavioral1/memory/1508-276-0x0000000000EA0000-0x00000000011DC000-memory.dmp dcrat behavioral1/memory/1144-288-0x0000000001360000-0x000000000169C000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1524 powershell.exe 2584 powershell.exe 2736 powershell.exe 2648 powershell.exe 2560 powershell.exe 1528 powershell.exe 1532 powershell.exe 2596 powershell.exe 2668 powershell.exe 2652 powershell.exe 3028 powershell.exe 2316 powershell.exe -
Executes dropped EXE 6 IoCs
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.exepid process 748 csrss.exe 2572 csrss.exe 2344 csrss.exe 1508 csrss.exe 1144 csrss.exe 2836 csrss.exe -
Processes:
csrss.exedc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe -
Drops file in Program Files directory 25 IoCs
Processes:
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCX122D.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\RCX14AE.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\RCX1BC5.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files\Windows NT\TableTextService\explorer.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\csrss.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files\Windows NT\TableTextService\7a0fd90576e088 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Analysis Services\56085415360792 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCX121C.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\886983d96e3d3e dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\RCX2725.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\RCX1440.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\csrss.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\TableTextService\RCX2521.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\886983d96e3d3e dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\RCX1BC6.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\TableTextService\RCX2520.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\TableTextService\explorer.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\RCX2724.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\f3b6ecef712a24 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2244 schtasks.exe 1616 schtasks.exe 1412 schtasks.exe 2116 schtasks.exe 840 schtasks.exe 2848 schtasks.exe 1884 schtasks.exe 2744 schtasks.exe 2528 schtasks.exe 1216 schtasks.exe 616 schtasks.exe 2384 schtasks.exe 1684 schtasks.exe 640 schtasks.exe 1752 schtasks.exe 1776 schtasks.exe 2804 schtasks.exe 2700 schtasks.exe 468 schtasks.exe 2180 schtasks.exe 380 schtasks.exe 2420 schtasks.exe 2436 schtasks.exe 1756 schtasks.exe 1612 schtasks.exe 2120 schtasks.exe 1192 schtasks.exe 1236 schtasks.exe 2956 schtasks.exe 2640 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exepid process 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 2736 powershell.exe 1532 powershell.exe 1528 powershell.exe 1524 powershell.exe 3028 powershell.exe 2596 powershell.exe 2584 powershell.exe 2668 powershell.exe 2316 powershell.exe 2652 powershell.exe 2560 powershell.exe 2648 powershell.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe 748 csrss.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription pid process Token: SeDebugPrivilege 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 748 csrss.exe Token: SeDebugPrivilege 2572 csrss.exe Token: SeDebugPrivilege 2344 csrss.exe Token: SeDebugPrivilege 1508 csrss.exe Token: SeDebugPrivilege 1144 csrss.exe Token: SeDebugPrivilege 2836 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.execmd.execsrss.exeWScript.execsrss.exeWScript.execsrss.exedescription pid process target process PID 1860 wrote to memory of 1524 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 1524 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 1524 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 1532 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 1532 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 1532 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 1528 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 1528 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 1528 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2316 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2316 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2316 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 3028 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 3028 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 3028 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2596 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2596 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2596 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2584 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2584 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2584 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2648 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2648 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2648 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2668 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2668 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2668 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2736 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2736 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2736 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2652 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2652 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2652 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2560 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2560 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2560 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 1860 wrote to memory of 2756 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe cmd.exe PID 1860 wrote to memory of 2756 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe cmd.exe PID 1860 wrote to memory of 2756 1860 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe cmd.exe PID 2756 wrote to memory of 572 2756 cmd.exe w32tm.exe PID 2756 wrote to memory of 572 2756 cmd.exe w32tm.exe PID 2756 wrote to memory of 572 2756 cmd.exe w32tm.exe PID 2756 wrote to memory of 748 2756 cmd.exe csrss.exe PID 2756 wrote to memory of 748 2756 cmd.exe csrss.exe PID 2756 wrote to memory of 748 2756 cmd.exe csrss.exe PID 748 wrote to memory of 1924 748 csrss.exe WScript.exe PID 748 wrote to memory of 1924 748 csrss.exe WScript.exe PID 748 wrote to memory of 1924 748 csrss.exe WScript.exe PID 748 wrote to memory of 1608 748 csrss.exe WScript.exe PID 748 wrote to memory of 1608 748 csrss.exe WScript.exe PID 748 wrote to memory of 1608 748 csrss.exe WScript.exe PID 1924 wrote to memory of 2572 1924 WScript.exe csrss.exe PID 1924 wrote to memory of 2572 1924 WScript.exe csrss.exe PID 1924 wrote to memory of 2572 1924 WScript.exe csrss.exe PID 2572 wrote to memory of 2984 2572 csrss.exe WScript.exe PID 2572 wrote to memory of 2984 2572 csrss.exe WScript.exe PID 2572 wrote to memory of 2984 2572 csrss.exe WScript.exe PID 2572 wrote to memory of 1624 2572 csrss.exe WScript.exe PID 2572 wrote to memory of 1624 2572 csrss.exe WScript.exe PID 2572 wrote to memory of 1624 2572 csrss.exe WScript.exe PID 2984 wrote to memory of 2344 2984 WScript.exe csrss.exe PID 2984 wrote to memory of 2344 2984 WScript.exe csrss.exe PID 2984 wrote to memory of 2344 2984 WScript.exe csrss.exe PID 2344 wrote to memory of 1496 2344 csrss.exe WScript.exe -
System policy modification 1 TTPs 21 IoCs
Processes:
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C6ojzqIZqD.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:572
-
C:\Program Files (x86)\Common Files\csrss.exe"C:\Program Files (x86)\Common Files\csrss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a6f3677-dbcc-4b3c-a7be-3a88cfb5c71d.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Program Files (x86)\Common Files\csrss.exe"C:\Program Files (x86)\Common Files\csrss.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2806871b-da50-4591-8606-0f40d0514b19.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files (x86)\Common Files\csrss.exe"C:\Program Files (x86)\Common Files\csrss.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2344 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea2db112-e23a-4cfd-8dc5-ef0f6d680cf3.vbs"8⤵PID:1496
-
C:\Program Files (x86)\Common Files\csrss.exe"C:\Program Files (x86)\Common Files\csrss.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1508 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80cac005-5464-42b3-b6f7-ccbdff9ac61b.vbs"10⤵PID:2364
-
C:\Program Files (x86)\Common Files\csrss.exe"C:\Program Files (x86)\Common Files\csrss.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\082872b8-b9c9-47a1-8c4a-4c00cc176239.vbs"12⤵PID:1984
-
C:\Program Files (x86)\Common Files\csrss.exe"C:\Program Files (x86)\Common Files\csrss.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b23422f-d73b-43d3-9f6a-dca94ed7879f.vbs"14⤵PID:2108
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45959d14-2b03-4732-9893-d5a2da94bc29.vbs"14⤵PID:2240
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55417941-8078-47bf-abab-99b63f05c350.vbs"12⤵PID:1740
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfa4c0b3-9bfd-42d3-bb6a-6770e6ebd2a6.vbs"10⤵PID:1236
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f5c2e7-8ca2-4962-8867-f7ee5a4881e3.vbs"8⤵PID:2892
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4f99d70-9aba-4b1e-b817-b45033e35577.vbs"6⤵PID:1624
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a7010f0-a0bf-46bb-9996-bde873b688d7.vbs"4⤵PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD58619675d9facaebcdb15ac1ca117b1a9
SHA13c0548be4af55784db8a1eff6137e05098cf11af
SHA25680046fb86243ebcbc22711ab5ef87b0155c21be7c48c4d6dd85b76d7961df4d3
SHA51256ec4ca27854e0ac7743584cfcdd31dc9f41e2d0b726d31746d8f682f66531f0049c9fed7329492978498ab5c8a25229b79a4e2a29fcae5d14dcaaad4d5d936d
-
Filesize
3.2MB
MD5dc4a687b17405db35530af6aa40cd2b0
SHA1acaeb4c374b0e1b55e7891cf5e20498e3b9cdd88
SHA2563f40b000017400edfb42a468c94ce03625a7003a238fae61929f20ee35c67f44
SHA512620ce4b0a8673598dd5975a8b304eeaff6eab85084a39d5a46efcf3b209b8f51a1eb8d81d5c6709e1ec5e67b913b9534ff440d5784aa03662cbdabb105a47487
-
Filesize
3.2MB
MD5846567f7be74008c7943ac705f408edf
SHA1684c2d7abe5cc500d658216fa2007a1deb06543b
SHA2568e758eddac1ab550835c9388cea160de727f8aa185e642717e5fe96dfd6aadbd
SHA512694de66c3e0909496ac512c57e02352073174c8939a16fe85e44392e857a972138c17ee014704cf5fc25d060027518a90ab550daa9aa6846f777bdc45fadbc5d
-
Filesize
3.2MB
MD57515fec42a8153473337c1507e8273d7
SHA10e0f88724607103c79837382edc842ac21f520f7
SHA256f1c3aec53ff4ea63a13f4ff740231e0cc8c849633b52a382d9f5e16cc2f4a8c7
SHA5127f42221192ea5b9ac8ba0b2fe7232a3c9c7ad727728a038d79bc488097854cca8433724cd3e96bf29db8d84810af5f7291c10229d5277d1994ae65b45e532f06
-
Filesize
721B
MD58003664e5b32a5cafe0c7d8b699c9351
SHA1acbe1bb6dd686166c1c6d0f0a84ddcaee0b658a2
SHA256b0535ad65a2da1f04d0a40095ba2a08bf02db8a209f8c03fefc02cf1be7a2e99
SHA5124d7aa6851701fd267e67a523532c9e702112f0e0b9a474869d89ab94833b9a68cd80a2515b54b93ba56b03137947c20549cadb0a727c2b18c604cc056710b9cb
-
Filesize
721B
MD5b00d712201b9ecc070af45733defdf27
SHA1d42f7a8090553b29f0ccdafa1a181672d7170007
SHA2560444c3c8977c837ff64b352550dddbe8643b9a5a388455fb01e9b63dd9e456c1
SHA51217b46f81c443b9fd2b753e4db8f17b33dc0128ff16365ae13b0df45bd0701a5922b6330d77630d772734d3a4a102a194d4872976c2c873d1796dd41d9ab30e34
-
Filesize
721B
MD5b33c089fb1d7cf43c98cc9660bd32d2a
SHA1d4a91d2f25fa76cb8369d529a410666de8357521
SHA256536ac86e434e703e239571061c6252d84940965ca07285a53d1960894166efc0
SHA5129734334017fd38b8f1db341ecaba2a2ce9247ff7d0727f167a31b2cf43ad66fe5662b80ff2916eb72f58d0a52d2d72ab5acbd3e478b91a0a9f8a38535dab2b11
-
Filesize
497B
MD552b7a4e80fd6da781c2da3d84544d252
SHA1ea871d5e58ca2494fddb770c5076ad67bb36ae9c
SHA256e3d63a11320cccebee50c08c6276351207da6248ca19918c201bca4058c892a3
SHA512f7e684e01d72024f3a62edfcea2182d26dffab9414473213059910fecd19bc11b513b343b0a6dddf011b17f1a6c5efa96d0dc67ffc153758d94ce8c179b2425d
-
Filesize
720B
MD5bea91e081473ea29f997ef171b40ff2c
SHA132c379cf76d387266f618306bde41094ec6d9720
SHA2567b61eab4c0f3b51e7491aa974cb2a99a6995b0d7aac65e2596d6e299dbcb2ae3
SHA512d06fbdd35db09dbcd890650352a251bfb18f702b052cfe3bc3330b3baf03fb49a4d2fde222a48171f85467091be1ce85c5349fc3d7b53e05ce3789dcd58bc6ce
-
Filesize
721B
MD5c7c634c3c2e44e37115f0509f7b29bd3
SHA113565058a292ad0373e634704857aa4cd921531a
SHA256c10c95e0d626751694a2ee69230a0a36e24227e0483296e5f00042611e549c6d
SHA512cd4ee4139f6e9baeb7799dc2ff24167234c8d4b381b1c38ac75cd4c88923aee51cdca2479cb64a4bf8cc16f5e3d93f053bb4d535276a201f18bb778197e399c9
-
Filesize
210B
MD58623ca35055e8eecafb3bbeed719b775
SHA1716ae42d2bd86aa799d1ab6776f1881f1df260c4
SHA256fbaaa99e83c4757fc1107baf75ca7a4d4b548f06b0e16e1e3ed5b910b361729a
SHA5128b19435ce1685f22262b4084c9a891a08f8ee0f0e6452460de29795f2523bbe11645edc4f755fa4b8c0701645f11d0a5c15a9dc636739dc6e7d9762581907148
-
Filesize
721B
MD513f00e77e0fffd18038123841ef4bcb3
SHA1266466f4ddfb8c2edeb1af52409f78026c66755a
SHA256f76b124101124cacd0bc2d8b55483817f7bf6f2b288fa49e5a004be4c432b27a
SHA512aa63e9042ca83170f03a59190ef91ccc32ea9d77b08778e1e3d14ed48497f2d34665808efcd632dd1e8dd3cae9b1388058f6030099fb16f689f565acd0ecd3a9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c609982eb0d748e330ead233ca27aa1b
SHA13afc9753b9d7aecb3579016c9fd7d6a46d1d9b78
SHA25644bc50c8c368ee7902f1e482da71266e7adf36ee6ac87cfe81e62c0e3383b06c
SHA51252035c2a7eb033eebb489fb925451a35c644a5cb77e0bd69c90259b89cb19136a09bede6ec63d0218a2f5aa7983523184d741df18a18b3a1985da862cee3e7e0