Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 13:07
Behavioral task
behavioral1
Sample
dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
dfe2a7d1e80181a3fcf84a7c0b0c44c0
-
SHA1
6bde52ed399d07d43a24c4a03d0abb25dea6df96
-
SHA256
a0bbb5f5a121166366ca545b1b37d4a6b9d54562212cdef13bb052e7c342577c
-
SHA512
fa9e812e795218f05cf158c0d13a50b485439afa9ba5ec3780e3b820c3d793cdbbe24bdadc9048eff33fa70948d0129c070c2e29fc8cc79adf5cbdca89509c66
-
SSDEEP
49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 272 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2592 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2592 schtasks.exe -
Processes:
dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Processes:
resource yara_rule behavioral1/memory/2184-1-0x00000000012F0000-0x000000000162C000-memory.dmp dcrat C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe dcrat C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe dcrat C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe dcrat C:\Users\Admin\audiodg.exe dcrat C:\Windows\ShellNew\spoolsv.exe dcrat C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe dcrat C:\Program Files (x86)\Windows Mail\lsass.exe dcrat C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe dcrat behavioral1/memory/432-336-0x00000000011F0000-0x000000000152C000-memory.dmp dcrat behavioral1/memory/2044-349-0x0000000000200000-0x000000000053C000-memory.dmp dcrat C:\Windows\SchCache\csrss.exe dcrat behavioral1/memory/2068-361-0x0000000000380000-0x00000000006BC000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1476 powershell.exe 2772 powershell.exe 524 powershell.exe 2340 powershell.exe 2304 powershell.exe 1752 powershell.exe 2812 powershell.exe 1072 powershell.exe 1456 powershell.exe 1588 powershell.exe 1912 powershell.exe 1728 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
csrss.execsrss.exepid process 432 csrss.exe 2044 csrss.exe -
Processes:
csrss.execsrss.exedfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe -
Drops file in Program Files directory 30 IoCs
Processes:
dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC8A5.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\lsass.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\RCXD59B.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXBC2D.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC8B5.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\RCXB4C7.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\5940a34987c991 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\69ddcba757bf72 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\lsass.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\RCXB06F.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\RCXB080.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXBC1D.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXD26D.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXD2FA.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\886983d96e3d3e dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\6203df4a6bafc7 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\6203df4a6bafc7 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\RCXD50D.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\RCXB4D7.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe -
Drops file in Windows directory 16 IoCs
Processes:
dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\Downloaded Program Files\RCXAE2D.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellNew\spoolsv.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Windows\SchCache\886983d96e3d3e dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Windows\ShellNew\spoolsv.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Windows\SchCache\csrss.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellNew\RCXCDC8.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Windows\CSC\v2.0.6\services.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Windows\ShellNew\f3b6ecef712a24 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Windows\Downloaded Program Files\RCXAE1C.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Windows\SchCache\RCXC624.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Windows\Downloaded Program Files\csrss.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Windows\Downloaded Program Files\886983d96e3d3e dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Windows\SchCache\RCXC613.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellNew\RCXCD5A.tmp dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File opened for modification C:\Windows\Downloaded Program Files\csrss.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe File created C:\Windows\SchCache\csrss.exe dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1124 schtasks.exe 2136 schtasks.exe 2476 schtasks.exe 2960 schtasks.exe 2892 schtasks.exe 620 schtasks.exe 1332 schtasks.exe 684 schtasks.exe 2384 schtasks.exe 112 schtasks.exe 2772 schtasks.exe 1632 schtasks.exe 2056 schtasks.exe 1168 schtasks.exe 1480 schtasks.exe 1052 schtasks.exe 1392 schtasks.exe 1512 schtasks.exe 2736 schtasks.exe 1716 schtasks.exe 1912 schtasks.exe 1104 schtasks.exe 2808 schtasks.exe 2304 schtasks.exe 1704 schtasks.exe 2712 schtasks.exe 1672 schtasks.exe 852 schtasks.exe 1604 schtasks.exe 2456 schtasks.exe 3044 schtasks.exe 2280 schtasks.exe 2804 schtasks.exe 2800 schtasks.exe 1560 schtasks.exe 1004 schtasks.exe 2324 schtasks.exe 1520 schtasks.exe 1624 schtasks.exe 3032 schtasks.exe 1564 schtasks.exe 2400 schtasks.exe 2652 schtasks.exe 840 schtasks.exe 2008 schtasks.exe 272 schtasks.exe 1928 schtasks.exe 752 schtasks.exe 1120 schtasks.exe 2004 schtasks.exe 2024 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exepid process 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.exedescription pid process Token: SeDebugPrivilege 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 432 csrss.exe Token: SeDebugPrivilege 2044 csrss.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.execmd.execsrss.exeWScript.execsrss.exedescription pid process target process PID 2184 wrote to memory of 2340 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2340 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2340 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2812 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2812 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2812 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1456 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1456 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1456 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2304 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2304 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2304 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1752 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1752 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1752 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1728 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1728 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1728 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1476 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1476 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1476 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1912 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1912 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1912 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1588 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1588 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1588 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1072 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1072 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 1072 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 524 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 524 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 524 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2772 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2772 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2772 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe powershell.exe PID 2184 wrote to memory of 2988 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe cmd.exe PID 2184 wrote to memory of 2988 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe cmd.exe PID 2184 wrote to memory of 2988 2184 dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe cmd.exe PID 2988 wrote to memory of 2596 2988 cmd.exe w32tm.exe PID 2988 wrote to memory of 2596 2988 cmd.exe w32tm.exe PID 2988 wrote to memory of 2596 2988 cmd.exe w32tm.exe PID 2988 wrote to memory of 432 2988 cmd.exe csrss.exe PID 2988 wrote to memory of 432 2988 cmd.exe csrss.exe PID 2988 wrote to memory of 432 2988 cmd.exe csrss.exe PID 432 wrote to memory of 2072 432 csrss.exe WScript.exe PID 432 wrote to memory of 2072 432 csrss.exe WScript.exe PID 432 wrote to memory of 2072 432 csrss.exe WScript.exe PID 432 wrote to memory of 840 432 csrss.exe WScript.exe PID 432 wrote to memory of 840 432 csrss.exe WScript.exe PID 432 wrote to memory of 840 432 csrss.exe WScript.exe PID 2072 wrote to memory of 2044 2072 WScript.exe csrss.exe PID 2072 wrote to memory of 2044 2072 WScript.exe csrss.exe PID 2072 wrote to memory of 2044 2072 WScript.exe csrss.exe PID 2044 wrote to memory of 2808 2044 csrss.exe WScript.exe PID 2044 wrote to memory of 2808 2044 csrss.exe WScript.exe PID 2044 wrote to memory of 2808 2044 csrss.exe WScript.exe PID 2044 wrote to memory of 1896 2044 csrss.exe WScript.exe PID 2044 wrote to memory of 1896 2044 csrss.exe WScript.exe PID 2044 wrote to memory of 1896 2044 csrss.exe WScript.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\dfe2a7d1e80181a3fcf84a7c0b0c44c0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2184 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TKtqFLH7pF.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2596
-
C:\Windows\SchCache\csrss.exe"C:\Windows\SchCache\csrss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:432 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70065346-a271-4ee1-9a08-92feaef7df7d.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SchCache\csrss.exeC:\Windows\SchCache\csrss.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0f1fa0d-ab13-47b1-8f17-d75dd077fe08.vbs"6⤵PID:2808
-
C:\Windows\SchCache\csrss.exeC:\Windows\SchCache\csrss.exe7⤵PID:2068
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdbd9ccf-67d6-495f-990e-74297931c3d3.vbs"6⤵PID:1896
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a53ab0e8-09e9-4882-8c3c-114bf9f971da.vbs"4⤵PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Links\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD50f0932cc83a88d529c97ea16a944c529
SHA1066a197a26039b912eac8822ef6e43a49d14f934
SHA256adf0c84724c5736d6f09ad45eec08665395f0d7e423af0866ef275b29ff5690a
SHA512ae6ec7bb1355d54cb0b8e38ec2cefffdd0bdb37a53ca5d66bcbd436f933b0f4db397cf1ae139f171898c4f44fbf96e0e881754eb95d678d585dbc9e8784e1bc6
-
Filesize
3.2MB
MD5254965aec9e293ef890482ddc1263c09
SHA175b11eeca2fd136611c2ef740696292d8ab7dd0b
SHA2568a677dfc059baafa7918a416092a3ce73e0bca483575b440ae5164981740ad56
SHA512523c4a3bc3457d6bcc349aaa8cf415569f6c170bcacf3a49f36b912f051be7f4cd2520c21dbabfe442efbd82be9a5962fc2ea5688b10e0b4b09df044e1c7d9c5
-
Filesize
3.2MB
MD5e65c49d1409478ab2a2f876935676d1c
SHA15299a2ca1b1684e3412660ea5e2c617a6db64b7d
SHA256c6278e9b20c2d92901c9f499f6a4b26df0d044f3a14278e958968e239c818a12
SHA5129995f3b50c7f38013413397a1f2c149ff10a64dd82ec77927241b98952f88fb827ebfca9d1e066746dedb579dc9f65adbfb3153523345274d1989815ffb5f0f1
-
Filesize
3.2MB
MD5ac3b711d26ab5d47339ba56a3f2ca8b0
SHA1000daecd8c71bde7ced451aa6503151c0c4b742b
SHA2567b26c5ee0bba3268e878e184e457f118e491ccd150d199722f5734ebade710e8
SHA5122329f8f1b8ffa450512d9171f76c556744405ce32489407f5c6774f033ea516ab9a77493e4a118ebd7b3200641d21d1b7fde29c69e3109c23831e54fa10d44b2
-
Filesize
3.2MB
MD5dfe2a7d1e80181a3fcf84a7c0b0c44c0
SHA16bde52ed399d07d43a24c4a03d0abb25dea6df96
SHA256a0bbb5f5a121166366ca545b1b37d4a6b9d54562212cdef13bb052e7c342577c
SHA512fa9e812e795218f05cf158c0d13a50b485439afa9ba5ec3780e3b820c3d793cdbbe24bdadc9048eff33fa70948d0129c070c2e29fc8cc79adf5cbdca89509c66
-
Filesize
3.2MB
MD5ec3c8529f53de3016d96ba3b39d566d5
SHA150a406c0fda9507ca6a1863772cedd5980637028
SHA256438e28ae477e5e8cea0d10f973c122da9f1a40107986d0c6fe580ae2993422b2
SHA512344b42018c9484f1edff0bc32c97a708e54afda6235d739f462a63f7b370873ffe0a96d71ba890a6949767b457d3e8b758a49c9799be782091073b2c339cfd87
-
Filesize
704B
MD5078b0fe2ee198ad7f8fcff6dbdffa8f4
SHA1bd451fbebf6464ed0ee28125bd4a2ce1267a7a76
SHA2561528be5c5d29bad8d31a12f3dffc4fd9d999e766dec23a2231fabbb3658317f6
SHA51245dff2be3402d380264a2b63259d6a6d32644dfb570def2dad4ee91b68a77df0c59f24f074ab325b143406ded641d80926dbe1deae582ff2b2dac3b5efce1474
-
Filesize
194B
MD5a5fc9e9eeefa069166a3a00921d194ce
SHA1ff993e20e901174e650c4a292de076c583a39084
SHA25647f82225f39ca3494011dd602cf5337184e7a1abe7a2b82ac9d240eeef15e69a
SHA512c842528919dbd44d3a7fc4dbe7c50cfc78cfb5ee12ec040074a4b0c7250188830899a0665d7464f0a8a583ce2e9d7422a76ba7cabea8d7f5b6c27d9801ac88f1
-
Filesize
481B
MD5df3fb3269f892af7750e21be4466c729
SHA17d64dc005f5a8314a222c66158d1106655cddb7f
SHA2566d8f527f976983b44a10219b18c9dba8df66fe4ac9e5f5e64ec85b5f6afae0a4
SHA512e1e23f9b4923ed9abcfb83ffa9636faa9a009732dc89ec65320e74ea6bbd089b6870ea72b8e920e42d7c7076116e3fd716d92c5e3283b8c03fbdd9b92cbc612e
-
Filesize
705B
MD5bcb708f940352d0ce1c84f5f9a841f48
SHA10d9578f02dab4115a00d748497deddc7ac8958b2
SHA25611ac33004bc6613e858054574d8882f7c98342d732e07b496bf267803b03d805
SHA51227ff46ede3713119dcfc144f5cc8bcb64acc9bf9ac7e747f9355c3e6ce1d770884fc1ab28103d51d364482ed63061bb2ff2771a11d82033c5f6bee18800e1a8b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59be6a88a0068976c359b3092a784a433
SHA1c157cc1dcd3e55410bff94f3b65802f8d8d766a6
SHA2566ba09d33d95b597d83db23f43e2738596c040a5223774d3ccf76ede7e0ce7947
SHA512b1fa15866c3a7cfc7d2443357b1e1145a28596a4cb43fd03bd6ce3d556c4c81ceb34cabf390b11bae5e0294c7da88d592ab3655f434964c1074c4c6dfdfec09e
-
Filesize
3.2MB
MD52f56320196b3797aebbd020e68c8ae52
SHA12487c0309624aa78f2f49987a080cdbe01b634e3
SHA25634e35366f01e70ace6f226c00880fda031fb712adcb51a8c9c36d12c00e96b5d
SHA512c501cf99123c85985de2107ce6896c7e5aa5974a0e4e875eb7ee2e362385e5f6874179cd5cbbaaa020cb246ab6731c70b137f4c3e39fe3029eefa1f8ae3b02de
-
Filesize
3.0MB
MD542caa506b4038361a7edb49b03aefa65
SHA185e5b80faeb469ef93a59760f0f9eec281afa07a
SHA256ee64b21ea6ae3425382934df8b352da664bb7ba64784591cca7b037d55812624
SHA512d6d5b9c01dbb1a2c7eddc49a9d926e83df9e87d5adf49b2310edbbad6fa87249b39f81321da76c873d0a0d83c03e4f2aab5b164f4305a9441a5247d2dc6a65f7
-
Filesize
3.2MB
MD542c05ec9ea2e024d335bf5c524ac1ad0
SHA1d36904f19cd84db1e934536546ae1e09c5711134
SHA2561ba6dc66c1806d6381a98057c77aa89dff23c6e4d532b7eb9f155f8aacc65c0e
SHA51250859215d120343ce02a1add25567e5908471f444a6a68db9a9f314c194d9cfa92fa2ced781ccbbfb121b15c97675ef09786d279445cb3423cd80f26267dca43