Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 11:17
Behavioral task
behavioral1
Sample
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
dc4a687b17405db35530af6aa40cd2b0
-
SHA1
acaeb4c374b0e1b55e7891cf5e20498e3b9cdd88
-
SHA256
3f40b000017400edfb42a468c94ce03625a7003a238fae61929f20ee35c67f44
-
SHA512
620ce4b0a8673598dd5975a8b304eeaff6eab85084a39d5a46efcf3b209b8f51a1eb8d81d5c6709e1ec5e67b913b9534ff440d5784aa03662cbdabb105a47487
-
SSDEEP
49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 1844 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3264 1844 schtasks.exe -
Processes:
upfc.exeupfc.exeupfc.exedc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exeupfc.exeupfc.exeupfc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe -
Processes:
resource yara_rule behavioral2/memory/3344-1-0x0000000000DA0000-0x00000000010DC000-memory.dmp dcrat C:\Recovery\WindowsRE\sihost.exe dcrat C:\Recovery\WindowsRE\taskhostw.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1868 powershell.exe 3016 powershell.exe 556 powershell.exe 4272 powershell.exe 4384 powershell.exe 4292 powershell.exe 3192 powershell.exe 3728 powershell.exe 2680 powershell.exe 4316 powershell.exe 2148 powershell.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation upfc.exe -
Executes dropped EXE 6 IoCs
Processes:
upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exepid process 3052 upfc.exe 4424 upfc.exe 4292 upfc.exe 3464 upfc.exe 3728 upfc.exe 4952 upfc.exe -
Processes:
upfc.exeupfc.exeupfc.exeupfc.exedc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exeupfc.exeupfc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe -
Drops file in Program Files directory 15 IoCs
Processes:
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\sihost.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\Temp\66fc9ff0ee96c2 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\RCX5B71.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\RCX622D.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Internet Explorer\upfc.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Internet Explorer\ea1d8f6d871115 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Temp\sihost.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\upfc.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Temp\RCX66D4.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\RCX622E.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Temp\RCX66E5.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\dllhost.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\RCX5B70.tmp dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\5940a34987c991 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\dllhost.exe dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 516 schtasks.exe 1592 schtasks.exe 2332 schtasks.exe 3152 schtasks.exe 3924 schtasks.exe 4188 schtasks.exe 4612 schtasks.exe 848 schtasks.exe 3088 schtasks.exe 5092 schtasks.exe 3264 schtasks.exe 2660 schtasks.exe 2252 schtasks.exe 2684 schtasks.exe 4524 schtasks.exe 5108 schtasks.exe 2892 schtasks.exe 4908 schtasks.exe -
Modifies registry class 7 IoCs
Processes:
upfc.exedc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings upfc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupfc.exepid process 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe 4272 powershell.exe 4272 powershell.exe 4316 powershell.exe 4316 powershell.exe 2148 powershell.exe 2148 powershell.exe 2680 powershell.exe 2680 powershell.exe 3016 powershell.exe 3016 powershell.exe 3728 powershell.exe 3728 powershell.exe 556 powershell.exe 556 powershell.exe 4292 powershell.exe 4292 powershell.exe 4384 powershell.exe 4384 powershell.exe 1868 powershell.exe 1868 powershell.exe 3192 powershell.exe 3192 powershell.exe 4272 powershell.exe 2680 powershell.exe 4316 powershell.exe 4292 powershell.exe 2148 powershell.exe 3016 powershell.exe 3728 powershell.exe 556 powershell.exe 3192 powershell.exe 4384 powershell.exe 1868 powershell.exe 3052 upfc.exe 3052 upfc.exe 3052 upfc.exe 3052 upfc.exe 3052 upfc.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exedescription pid process Token: SeDebugPrivilege 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeDebugPrivilege 4292 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 3728 powershell.exe Token: SeDebugPrivilege 4384 powershell.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 3052 upfc.exe Token: SeDebugPrivilege 4424 upfc.exe Token: SeDebugPrivilege 4292 upfc.exe Token: SeDebugPrivilege 3464 upfc.exe Token: SeDebugPrivilege 3728 upfc.exe Token: SeDebugPrivilege 4952 upfc.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.execmd.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exeWScript.exeupfc.exedescription pid process target process PID 3344 wrote to memory of 556 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 556 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 3728 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 3728 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 4272 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 4272 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 2680 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 2680 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 4316 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 4316 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 4384 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 4384 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 2148 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 2148 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 4292 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 4292 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 1868 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 1868 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 3016 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 3016 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 3192 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 3192 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe powershell.exe PID 3344 wrote to memory of 3156 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe cmd.exe PID 3344 wrote to memory of 3156 3344 dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe cmd.exe PID 3156 wrote to memory of 3892 3156 cmd.exe w32tm.exe PID 3156 wrote to memory of 3892 3156 cmd.exe w32tm.exe PID 3156 wrote to memory of 3052 3156 cmd.exe upfc.exe PID 3156 wrote to memory of 3052 3156 cmd.exe upfc.exe PID 3052 wrote to memory of 3188 3052 upfc.exe WScript.exe PID 3052 wrote to memory of 3188 3052 upfc.exe WScript.exe PID 3052 wrote to memory of 2320 3052 upfc.exe WScript.exe PID 3052 wrote to memory of 2320 3052 upfc.exe WScript.exe PID 3188 wrote to memory of 4424 3188 WScript.exe upfc.exe PID 3188 wrote to memory of 4424 3188 WScript.exe upfc.exe PID 4424 wrote to memory of 2220 4424 upfc.exe WScript.exe PID 4424 wrote to memory of 2220 4424 upfc.exe WScript.exe PID 4424 wrote to memory of 3900 4424 upfc.exe WScript.exe PID 4424 wrote to memory of 3900 4424 upfc.exe WScript.exe PID 2220 wrote to memory of 4292 2220 WScript.exe upfc.exe PID 2220 wrote to memory of 4292 2220 WScript.exe upfc.exe PID 4292 wrote to memory of 3220 4292 upfc.exe WScript.exe PID 4292 wrote to memory of 3220 4292 upfc.exe WScript.exe PID 4292 wrote to memory of 3084 4292 upfc.exe WScript.exe PID 4292 wrote to memory of 3084 4292 upfc.exe WScript.exe PID 3220 wrote to memory of 3464 3220 WScript.exe upfc.exe PID 3220 wrote to memory of 3464 3220 WScript.exe upfc.exe PID 3464 wrote to memory of 3632 3464 upfc.exe WScript.exe PID 3464 wrote to memory of 3632 3464 upfc.exe WScript.exe PID 3464 wrote to memory of 3768 3464 upfc.exe WScript.exe PID 3464 wrote to memory of 3768 3464 upfc.exe WScript.exe PID 3632 wrote to memory of 3728 3632 WScript.exe upfc.exe PID 3632 wrote to memory of 3728 3632 WScript.exe upfc.exe PID 3728 wrote to memory of 4840 3728 upfc.exe WScript.exe PID 3728 wrote to memory of 4840 3728 upfc.exe WScript.exe PID 3728 wrote to memory of 4588 3728 upfc.exe WScript.exe PID 3728 wrote to memory of 4588 3728 upfc.exe WScript.exe PID 4840 wrote to memory of 4952 4840 WScript.exe upfc.exe PID 4840 wrote to memory of 4952 4840 WScript.exe upfc.exe PID 4952 wrote to memory of 836 4952 upfc.exe WScript.exe PID 4952 wrote to memory of 836 4952 upfc.exe WScript.exe PID 4952 wrote to memory of 4716 4952 upfc.exe WScript.exe PID 4952 wrote to memory of 4716 4952 upfc.exe WScript.exe -
System policy modification 1 TTPs 21 IoCs
Processes:
upfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exedc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\dc4a687b17405db35530af6aa40cd2b0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zykW3pHScp.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3892
-
C:\Program Files (x86)\Internet Explorer\upfc.exe"C:\Program Files (x86)\Internet Explorer\upfc.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3052 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255d9068-70d2-40f3-9a99-93ad93e39233.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Program Files (x86)\Internet Explorer\upfc.exe"C:\Program Files (x86)\Internet Explorer\upfc.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d938be9e-9a23-4781-bd04-9d2bd8fee025.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Program Files (x86)\Internet Explorer\upfc.exe"C:\Program Files (x86)\Internet Explorer\upfc.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4292 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d2cf553-a91b-4371-aaf3-7b7ca7c21b03.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Program Files (x86)\Internet Explorer\upfc.exe"C:\Program Files (x86)\Internet Explorer\upfc.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3464 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5072ec9-2f7b-4adc-9fc6-3cd7ead42005.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Program Files (x86)\Internet Explorer\upfc.exe"C:\Program Files (x86)\Internet Explorer\upfc.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3728 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45960fe3-391c-4124-bc68-5b2f5b1b7138.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Program Files (x86)\Internet Explorer\upfc.exe"C:\Program Files (x86)\Internet Explorer\upfc.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4952 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e11c9075-b288-439e-80b4-1e44ca325786.vbs"14⤵PID:836
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5968698-4680-4123-9cc7-b62c43abb054.vbs"14⤵PID:4716
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61aef406-5b5b-4b14-be3b-2a1121a47ea3.vbs"12⤵PID:4588
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab0a2b5b-d5ef-4a29-882a-97a15be03006.vbs"10⤵PID:3768
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70f16270-7112-414d-87d4-db8b7f59f74d.vbs"8⤵PID:3084
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f66b850a-da61-4dde-873d-c2dc15b374fb.vbs"6⤵PID:3900
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ead0d72-525f-4cd9-a0a9-0ea53a76bcf7.vbs"4⤵PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5dc4a687b17405db35530af6aa40cd2b0
SHA1acaeb4c374b0e1b55e7891cf5e20498e3b9cdd88
SHA2563f40b000017400edfb42a468c94ce03625a7003a238fae61929f20ee35c67f44
SHA512620ce4b0a8673598dd5975a8b304eeaff6eab85084a39d5a46efcf3b209b8f51a1eb8d81d5c6709e1ec5e67b913b9534ff440d5784aa03662cbdabb105a47487
-
Filesize
3.2MB
MD5fe9ee3c44523dd6fe54b10d25c68fc66
SHA19eab35b1848a539dfbb401813dfbafc0425a143d
SHA256bd63fd6aa42c243807a498ac348d2cb8cfc7b9e70a399bcfe4be8155f97b82b6
SHA512c241928514e3fd2825d313192cd283ee7e9e47836242736dcdb0ca0d52b1d298cf17051171157e085c4587e03b6eacdbac734072b0641a4ccf7d8039e7886eed
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
501B
MD507448be2fd912218adda702602a87b09
SHA18d2c3d473c5a63e3c42a2d8f6f838f02a1514b19
SHA2567ecd4f10f05197c76d9f15b029874d3662868982525c5f10add528ef2086c97d
SHA5125ef54ca24aa078aa3b6c9a28f129822b55606c5ff0debec2d0925ccf63054064c9d39edb57fc746de11f607f24e9f9a654c5f948065e71a4fba5bf41c0242504
-
Filesize
725B
MD52f8d01f40fd5927cdd94d7910bf9e86e
SHA1b4d7a6e1a9f36ce90bcb8d1c18b7a80973411e6a
SHA256550920521353ddf72c1f30ec1db15ee94f0f5bb02944a9a11e33e87ca083c4f0
SHA5124d49361c56609f1896f0016cbc0976537284d0ed1a12415a9b4cb2c6dfda491969222b18614b4a9d4454d86f23510f027c8b86df4a6e4c6c7f8cb77f3215baa7
-
Filesize
725B
MD575019211fdd1c8e3dcaa1644454df725
SHA13e2812b7947a33670e0572863f10c621049135a8
SHA25659c38754b4d3f94d1e7af3bfe00975f7fd01edd86b77687f0d2b2c8369a25b52
SHA51204b665f9ec3c0f984aa30d51d6b6c0f50e21a42bdc44b0734085e90273039a6b00a4511192d6f5666f85620ef0dd5a4c27a1ef3c64c4d0368ce5d2b30f1862c5
-
Filesize
725B
MD5508c367fb633c2ade8d690b66cd816bf
SHA14c3bfe69276279e21d2d75ccc23bbde478e03c9f
SHA256f3d77b50c1c81d5de86a0d327906dad61987704b6d11644051e18f8f56ac9c89
SHA512dbcb7d6006edfc9a88ad51ddbd7446e57003baf98c22bc367ed00829a79c5858eb56323128327a3cbd4498d5412116ef6d7024d033da2e26ab567135f40f307b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
725B
MD5593dad81519e2de3ca7afebeb8cad4c5
SHA167e0482bbf8186287b9c43c12d33e0381d637bf6
SHA256aec91fcb501aca66184f02d6bdb1634be00aea2f71ec075bbdc3b98756b5f0c6
SHA5123be1000ef6caff76cf692bff1712cd3e95dacd2d90c87a6a9ee3927f3a287338ff2ae0d9d5a669445f9d73603fa7a2dd96b0977f93ddcad82b117d4156041c21
-
Filesize
725B
MD56c4538ea45854d5f958f99238f88cf28
SHA1a76ab9d073b38889364b2a457edab212a64be24e
SHA2566424d3354d6714d4e297e11685703a76d82787a5168ed23f26baa38cb8c9839b
SHA512f03b2a3808534166ffba081be5ce3c905481e75710248d012bc7005472d57813bcb32c6b0141592e10a67577eafce1370d56ccdddf1098a099f6edef3f2f3ce0
-
Filesize
725B
MD56f7ddcf993cd8088521f18dbd931a821
SHA1536dc97983e234918911446c1df5ad5fe7aeef63
SHA256c1526f770cd2211f89227452f1e18ced395b7f7e8af03d9080e27e5e848c4045
SHA51292f5679bd2205dfc561a883c6ea93ee3df07aaf4524c53ee119a2438a0055ab07f137a2fbc81bc2eb753434a742ee17ab21d751d5fa7a1530ae696fa34626681
-
Filesize
214B
MD5dc8fbe195ae298022e70b09271319aa4
SHA1fd6e9fc43ce862cb7561db778abc7288c0732f7d
SHA256296f2b88d5ba7b3e731183244be81deea2ca63da67f207ba9ea721aaa46d4d19
SHA512c94a76d2ab2d3c6a1a6e74ea7ad3b604c9bf17d04cf2b343c95d0942e0ea75214680f18ce9f2ae78af65741cdacd8fdb4581b6a9053c1a39a1f748bd4c718c42