dcrat | f0b7658d97ad3263b4373978e5b90674a08f57bd245fad82fb0ad2b883d75292

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Size

2.9MB
MD5

07e331d8f4da07460446c4946b7e1290
SHA1

236d4ec1debe9ff37d1b1612e2c6efc54f7900a8
SHA256

f0b7658d97ad3263b4373978e5b90674a08f57bd245fad82fb0ad2b883d75292
SHA512

49c1ee8bf1f5395bae30acfbc026d823bc5d02d2413755de768bd235121d5f992c5971e0479610c48f0d1593c0301ad713fb5cd2a75396e978acd87bd892730f
SSDEEP

49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2640	schtasks.exe	28

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2280-1-0x0000000000160000-0x0000000000446000-memory.dmp	dcrat
behavioral1/files/0x0007000000013216-34.dat	dcrat
behavioral1/files/0x0008000000013708-120.dat	dcrat
behavioral1/files/0x0009000000013708-127.dat	dcrat
behavioral1/files/0x00100000000139f1-183.dat	dcrat
behavioral1/files/0x0008000000013216-199.dat	dcrat
behavioral1/memory/2240-203-0x0000000000A50000-0x0000000000D36000-memory.dmp	dcrat
behavioral1/memory/1236-237-0x0000000001060000-0x0000000001346000-memory.dmp	dcrat
behavioral1/memory/1144-249-0x00000000012D0000-0x00000000015B6000-memory.dmp	dcrat
behavioral1/memory/1424-306-0x0000000001310000-0x00000000015F6000-memory.dmp	dcrat
behavioral1/memory/2432-319-0x00000000003D0000-0x00000000006B6000-memory.dmp	dcrat
behavioral1/memory/2520-332-0x0000000000940000-0x0000000000C26000-memory.dmp	dcrat
behavioral1/memory/1228-345-0x0000000000B00000-0x0000000000DE6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2504	powershell.exe
2904	powershell.exe
1612	powershell.exe
2616	powershell.exe
2140	powershell.exe
2584	powershell.exe
2868	powershell.exe
2468	powershell.exe
2932	powershell.exe
2324	powershell.exe
1980	powershell.exe
2692	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2240	lsm.exe
1236	lsm.exe
1144	lsm.exe
2468	lsm.exe
1812	lsm.exe
2612	lsm.exe
1148	lsm.exe
1424	lsm.exe
2432	lsm.exe
2520	lsm.exe
1228	lsm.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX28E2.tmp	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX1970.tmp	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\27d1bcfc3c54e0	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\explorer.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX2269.tmp	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\69ddcba757bf72	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\42af1c969fbb7b	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\c5b4cb5e9653cc	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files (x86)\MSBuild\101b941d020240	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\explorer.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\42af1c969fbb7b	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCX128A.tmp	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\MSBuild\lsm.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\RCX1BF1.tmp	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCX24DA.tmp	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\7a0fd90576e088	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Program Files (x86)\MSBuild\lsm.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX2065.tmp	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\6ccacd8608530f	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\RCX14FB.tmp	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Windows\Web\Wallpaper\Scenes\System.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Windows\schemas\EAPMethods\csrss.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Idle.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\System.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\RCX2AE6.tmp	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Idle.exe	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
File created	C:\Windows\Web\Wallpaper\Scenes\27d1bcfc3c54e0	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
968	schtasks.exe
1956	schtasks.exe
1764	schtasks.exe
2960	schtasks.exe
1548	schtasks.exe
1816	schtasks.exe
240	schtasks.exe
1520	schtasks.exe
800	schtasks.exe
2632	schtasks.exe
1976	schtasks.exe
836	schtasks.exe
1484	schtasks.exe
2848	schtasks.exe
2668	schtasks.exe
1236	schtasks.exe
2132	schtasks.exe
1100	schtasks.exe
3036	schtasks.exe
1208	schtasks.exe
2748	schtasks.exe
2440	schtasks.exe
2712	schtasks.exe
848	schtasks.exe
1508	schtasks.exe
2424	schtasks.exe
2400	schtasks.exe
3060	schtasks.exe
2224	schtasks.exe
1964	schtasks.exe
336	schtasks.exe
344	schtasks.exe
112	schtasks.exe
1924	schtasks.exe
544	schtasks.exe
1480	schtasks.exe
912	schtasks.exe
1900	schtasks.exe
2036	schtasks.exe
2448	schtasks.exe
2604	schtasks.exe
1196	schtasks.exe
2392	schtasks.exe
892	schtasks.exe
2516	schtasks.exe
1780	schtasks.exe
1360	schtasks.exe
2016	schtasks.exe
1560	schtasks.exe
2296	schtasks.exe
2608	schtasks.exe
2692	schtasks.exe
2752	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
2468	powershell.exe
2504	powershell.exe
2140	powershell.exe
2616	powershell.exe
2324	powershell.exe
2932	powershell.exe
2692	powershell.exe
2904	powershell.exe
1980	powershell.exe
2584	powershell.exe
1612	powershell.exe
2868	powershell.exe
2240	lsm.exe
1236	lsm.exe
1144	lsm.exe
2468	lsm.exe
1812	lsm.exe
2612	lsm.exe
1148	lsm.exe
1424	lsm.exe
2432	lsm.exe
2520	lsm.exe
1228	lsm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2240	lsm.exe
Token: SeDebugPrivilege	1236	lsm.exe
Token: SeDebugPrivilege	1144	lsm.exe
Token: SeDebugPrivilege	2468	lsm.exe
Token: SeDebugPrivilege	1812	lsm.exe
Token: SeDebugPrivilege	2612	lsm.exe
Token: SeDebugPrivilege	1148	lsm.exe
Token: SeDebugPrivilege	1424	lsm.exe
Token: SeDebugPrivilege	2432	lsm.exe
Token: SeDebugPrivilege	2520	lsm.exe
Token: SeDebugPrivilege	1228	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2504	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	83
PID 2280 wrote to memory of 2504	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	83
PID 2280 wrote to memory of 2504	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	83
PID 2280 wrote to memory of 2468	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	84
PID 2280 wrote to memory of 2468	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	84
PID 2280 wrote to memory of 2468	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	84
PID 2280 wrote to memory of 2868	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	85
PID 2280 wrote to memory of 2868	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	85
PID 2280 wrote to memory of 2868	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	85
PID 2280 wrote to memory of 2692	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	87
PID 2280 wrote to memory of 2692	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	87
PID 2280 wrote to memory of 2692	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	87
PID 2280 wrote to memory of 2584	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	89
PID 2280 wrote to memory of 2584	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	89
PID 2280 wrote to memory of 2584	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	89
PID 2280 wrote to memory of 1980	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	90
PID 2280 wrote to memory of 1980	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	90
PID 2280 wrote to memory of 1980	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	90
PID 2280 wrote to memory of 2140	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	91
PID 2280 wrote to memory of 2140	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	91
PID 2280 wrote to memory of 2140	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	91
PID 2280 wrote to memory of 2616	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	92
PID 2280 wrote to memory of 2616	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	92
PID 2280 wrote to memory of 2616	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	92
PID 2280 wrote to memory of 1612	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	93
PID 2280 wrote to memory of 1612	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	93
PID 2280 wrote to memory of 1612	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	93
PID 2280 wrote to memory of 2324	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	94
PID 2280 wrote to memory of 2324	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	94
PID 2280 wrote to memory of 2324	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	94
PID 2280 wrote to memory of 2932	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	95
PID 2280 wrote to memory of 2932	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	95
PID 2280 wrote to memory of 2932	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	95
PID 2280 wrote to memory of 2904	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	96
PID 2280 wrote to memory of 2904	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	96
PID 2280 wrote to memory of 2904	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	96
PID 2280 wrote to memory of 2240	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	107
PID 2280 wrote to memory of 2240	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	107
PID 2280 wrote to memory of 2240	2280	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe	107
PID 2240 wrote to memory of 2888	2240	lsm.exe	108
PID 2240 wrote to memory of 2888	2240	lsm.exe	108
PID 2240 wrote to memory of 2888	2240	lsm.exe	108
PID 2240 wrote to memory of 2592	2240	lsm.exe	109
PID 2240 wrote to memory of 2592	2240	lsm.exe	109
PID 2240 wrote to memory of 2592	2240	lsm.exe	109
PID 2888 wrote to memory of 1236	2888	WScript.exe	110
PID 2888 wrote to memory of 1236	2888	WScript.exe	110
PID 2888 wrote to memory of 1236	2888	WScript.exe	110
PID 1236 wrote to memory of 608	1236	lsm.exe	111
PID 1236 wrote to memory of 608	1236	lsm.exe	111
PID 1236 wrote to memory of 608	1236	lsm.exe	111
PID 1236 wrote to memory of 812	1236	lsm.exe	112
PID 1236 wrote to memory of 812	1236	lsm.exe	112
PID 1236 wrote to memory of 812	1236	lsm.exe	112
PID 608 wrote to memory of 1144	608	WScript.exe	113
PID 608 wrote to memory of 1144	608	WScript.exe	113
PID 608 wrote to memory of 1144	608	WScript.exe	113
PID 1144 wrote to memory of 2476	1144	lsm.exe	114
PID 1144 wrote to memory of 2476	1144	lsm.exe	114
PID 1144 wrote to memory of 2476	1144	lsm.exe	114
PID 1144 wrote to memory of 1920	1144	lsm.exe	115
PID 1144 wrote to memory of 1920	1144	lsm.exe	115
PID 1144 wrote to memory of 1920	1144	lsm.exe	115
PID 2476 wrote to memory of 2468	2476	WScript.exe	118

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\07e331d8f4da07460446c4946b7e1290_NeikiAnalytics.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Program Files (x86)\MSBuild\lsm.exe
  "C:\Program Files (x86)\MSBuild\lsm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2240
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cacaba31-11c1-46f6-b942-c88c0d415beb.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Program Files (x86)\MSBuild\lsm.exe
      "C:\Program Files (x86)\MSBuild\lsm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1236
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\883db33f-0d88-4e5a-9d8a-c53c76ae75b3.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:608
      - C:\Program Files (x86)\MSBuild\lsm.exe
        
        "C:\Program Files (x86)\MSBuild\lsm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4228176b-81ec-4113-8207-fa69a46848df.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Program Files (x86)\MSBuild\lsm.exe
        
        "C:\Program Files (x86)\MSBuild\lsm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11559631-3a50-49ed-8e0e-49db8833e831.vbs"
        9⤵
        
        PID:1816
        
        C:\Program Files (x86)\MSBuild\lsm.exe
        
        "C:\Program Files (x86)\MSBuild\lsm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\addbd124-2278-405e-b28c-7f7fb1c3b43f.vbs"
        11⤵
        
        PID:1504
        
        C:\Program Files (x86)\MSBuild\lsm.exe
        
        "C:\Program Files (x86)\MSBuild\lsm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e52228f-f814-4c6d-bd7b-0aeaac7938b8.vbs"
        13⤵
        
        PID:2952
        
        C:\Program Files (x86)\MSBuild\lsm.exe
        
        "C:\Program Files (x86)\MSBuild\lsm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f44a9a6a-5283-43ec-97ec-4dec2abd765c.vbs"
        15⤵
        
        PID:1552
        
        C:\Program Files (x86)\MSBuild\lsm.exe
        
        "C:\Program Files (x86)\MSBuild\lsm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a19aa47-40ef-490b-9fd6-a81b2cecc7f9.vbs"
        17⤵
        
        PID:1680
        
        C:\Program Files (x86)\MSBuild\lsm.exe
        
        "C:\Program Files (x86)\MSBuild\lsm.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2030b35-76c1-4e5e-b73c-01eced428f38.vbs"
        19⤵
        
        PID:2368
        
        C:\Program Files (x86)\MSBuild\lsm.exe
        
        "C:\Program Files (x86)\MSBuild\lsm.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63c2ddf6-e45f-4907-9751-cf9b1212fc8e.vbs"
        21⤵
        
        PID:320
        
        C:\Program Files (x86)\MSBuild\lsm.exe
        
        "C:\Program Files (x86)\MSBuild\lsm.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33439a29-2030-424e-99f3-e0eaeb8110a5.vbs"
        23⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\884494a2-1a6f-48aa-8796-c05e34534a7a.vbs"
        23⤵
        
        PID:568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ef0600f-b390-4c97-95d9-11d333834e64.vbs"
        21⤵
        
        PID:552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed8aef14-2563-4d24-98e6-57f7a21a5fa9.vbs"
        19⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe49cc9e-d884-436b-9ede-5bc3b276799f.vbs"
        17⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eedbc55-e77a-45e1-baf5-a3b87e7f0466.vbs"
        15⤵
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91adb19f-18a5-4a9f-a300-461d5c99eef7.vbs"
        13⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\732d4abf-5538-4acf-a5af-b50c309d5bac.vbs"
        11⤵
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00cdb89e-04a6-4c17-bc0a-3112d6bd4eab.vbs"
        9⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1230ed26-d716-4508-bea2-2c3c4cd06b6d.vbs"
        7⤵
        
        PID:1920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50324dc6-8dcd-4388-82f1-a48f091a0674.vbs"
        5⤵
        
        PID:812
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2183d9c4-9485-4822-91e6-51db227043c3.vbs"
    3⤵
    PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\Wallpaper\Scenes\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Scenes\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
2.9MB

MD5
07e331d8f4da07460446c4946b7e1290

SHA1
236d4ec1debe9ff37d1b1612e2c6efc54f7900a8

SHA256
f0b7658d97ad3263b4373978e5b90674a08f57bd245fad82fb0ad2b883d75292

SHA512
49c1ee8bf1f5395bae30acfbc026d823bc5d02d2413755de768bd235121d5f992c5971e0479610c48f0d1593c0301ad713fb5cd2a75396e978acd87bd892730f

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX2065.tmp

Filesize
2.9MB

MD5
f7b173d62c4abd41eb040e95d17eb15b

SHA1
2f92216f8d40579dc30fc31366dd3cae39121547

SHA256
c54b22206aefaefbd26708646c073039885d4fb30d7717f3f8dbb41832c15a1e

SHA512
912ee4881a2f5b7e4e9ae7f71501792f1b08f18fd96a28dab327d56ea8b0e92b5a48e941c4658c0ada893e05cac39a52b6aa2a40c60150ba4e333d28cefd0678

Download Submit
C:\Program Files (x86)\MSBuild\lsm.exe

Filesize
2.9MB

MD5
c20513b81e6efdcb5f4dcc748c82d946

SHA1
b83b3b23a5f7a4fb112462eeb2a3e0378221e638

SHA256
a5c9534888ca3130cd429349f2075158eb1866cc62b143415bed8baee7add095

SHA512
8898d6db8b684503716ab7993099d37de2ba978088f08adb867a9b02a1e941c33fc7fcb3926dc1dd52a3f546ad8b027a10c95432ddf1293a8c765901ce93f48e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe

Filesize
2.9MB

MD5
f581892965a553fe479f847338933556

SHA1
a00ecef10ed76145c999bea55fae48f94dfe49a2

SHA256
764b413ba84d42b9f75d288ff3d60e30dd6ff91ee1b6aa43ffc0008fb75ad3bb

SHA512
3a24d9f131e57f2b3eff3173c214a609e4ac51b9da9211603b65f292184e6c119a2cbd19f8d316a4ac9764089e620c224aa19e6197afea2f5cb4bb3327ded410

Download Submit
C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsass.exe

Filesize
2.9MB

MD5
5cac377ddafabb7675dc6232f0c14bb0

SHA1
880ac160a3194de5a0d99ae459e1dcfc7887168c

SHA256
2f1e6e02cbbaa909a89b9c76b12711640420aaf618b67efbe438f5f7beee5c69

SHA512
1d83670de3f8626fce69f137ff4c04bcdd0d37dfd092874398a4cd98f931407cce9de864054c10d508aef01f3106c3976aa29255a9e3edb062ee4b4745ba28ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\11559631-3a50-49ed-8e0e-49db8833e831.vbs

Filesize
714B

MD5
d22bbcbae0e2f39c5dd4b89af1af0b1c

SHA1
3a3b5fbb9e189513bb2b6f16e0a00303028409b3

SHA256
542718e8193531cd9156c98c18e13357fb6010e53c92c2ed9b2a792842f9349a

SHA512
0d044b227ce3ce6093972c6f38b361adbe5de8b931f06854e962ce563f71b505175f64ca4c0b55f07ae8d7af71596e0dc1dd8532ce653f07d443df65e809542f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2183d9c4-9485-4822-91e6-51db227043c3.vbs

Filesize
490B

MD5
77eb8c9bba97a21bdc50d6a418b4205b

SHA1
1ee384e1bf2efd6e74e3024bbfc61bc6271b503d

SHA256
783393e9c10beb35f1b55e0075a8f04b654f35b970076bbfe4e95aed3a3881c8

SHA512
b3a079acad572960746e8d129fc9b3f1b0558b3570b304a254b600859f4ca5041c69371a62dabf325cfbce1cb2d2fd122daf67543415ba0a312250e8104a3a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\33439a29-2030-424e-99f3-e0eaeb8110a5.vbs

Filesize
714B

MD5
5bccf2303dbf357e407faaec3c5d8dc4

SHA1
47fd745886848c794e3e25c391602e83398b7f0c

SHA256
e5ccbc83e3faf3f1b019e0164ba0b46684c6e0ea6eaa3dfedd6f19a0d6494e11

SHA512
61232f74140a1b515c319c201ac5020e7a4b19902c60c8ce314abc8f0f316f7fa6b587e3a97af50d9cbf44f84a485bb6512fcace00da9a38aad0bf6f69edb738

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a19aa47-40ef-490b-9fd6-a81b2cecc7f9.vbs

Filesize
714B

MD5
1ed0eae2004c5c352e4e0bad2d6c090c

SHA1
97a06537be6a00ec4ff966f8ff1c44545f12cbdd

SHA256
85fdd8c799ff57964f1c46110bc41a4b1b3d34075cdecca1e04c5b6e429c5b6e

SHA512
ab203c75d376a387e23675e2971b2cf1b6933c1f3375f33dbb2ad00063803fb0ff70e3e8a874ab954a7e58286c1e6464c285777cf7f549576c8da89fa4fc63cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4228176b-81ec-4113-8207-fa69a46848df.vbs

Filesize
714B

MD5
a004198bd7eebef1a7cbd1d575a1ba70

SHA1
da988c6510ef10509cdef10f143963cddf112409

SHA256
f6e54cdfea5d826f1efbb465e77e345190a2d0921beae520206f18809d7c2ddd

SHA512
3dc164b37e13c2620108c5c52420a2a721229240c9ec01571173ca2b23709bd88950eb017b5c862ce7fc8ef7349f3defca52a89b10a9eaa55f636745e714cb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\63c2ddf6-e45f-4907-9751-cf9b1212fc8e.vbs

Filesize
714B

MD5
618affdd043b01cb943e10004fff1de6

SHA1
0cce986023539e826a502690ffee34d82f720f8f

SHA256
922029a44e630a2c333fb1f504c30edaaf895b950978809c9a034e4dd8b7b4c4

SHA512
b1513c23cb4517b262cfcffcdb95da7900c477222ef393d302b55716df3ba0a0c2da2d8b2ec30e53322a21c2e2b140b768e9b5968c9ab5eb1e4269ef4eae1aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e52228f-f814-4c6d-bd7b-0aeaac7938b8.vbs

Filesize
714B

MD5
72e2e223550d50d8748e2f86903e9a19

SHA1
090c5a6060f4abc4199b19a58773472b0ddb7390

SHA256
ea9d1bac9add822fd518affeea70f1c889e488b85261c5f5c137947a929581b7

SHA512
1697890ea16f3d7230e0f1f467a8a9786ee91ba499a0dcbd7be3ace620903596b7d7f3a8bfc25045c954d619052882d0c03eeced875e2a9276837cc184edc42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\883db33f-0d88-4e5a-9d8a-c53c76ae75b3.vbs

Filesize
714B

MD5
2f45e577a103ac64ddc69b6b2e9b470b

SHA1
ca163bad95793373d72c0cf509137fea5623051c

SHA256
6af32134ca78f110d7d0acd7b4f5658d8e22812a61b652f6d241ee890298ece5

SHA512
7691cba1071feab7509c5b14945b473eaf281cda14c5b5bc926bf1006923cf7f0ce88e1d17b976c7036f1da3a46eb9c4ffad47997c3a498a3c7fe8ab370998ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\addbd124-2278-405e-b28c-7f7fb1c3b43f.vbs

Filesize
714B

MD5
7e206967ae3546ba6fb505e7a4886620

SHA1
b4e19ad61962c83b29053baa9ec44c0f00a54212

SHA256
72b5759bccf4683e08e7c36b815ebcd6268b5bcec103cd8e6e64516e03213906

SHA512
e9379c98c4a9d2190bc7d1f5b28396a1a6547ae9f979b5d56d42ee6b53b42cc320dd84653b8f0045c5dc27943706589cb33f907328bb0bd16c0178ec3dcb508e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cacaba31-11c1-46f6-b942-c88c0d415beb.vbs

Filesize
714B

MD5
88d76f118f25679ab95fb0ff3ac2a030

SHA1
5bee05b4f652f0913bf2c18e5f2ca6a76de9753a

SHA256
447c5e11853ab65509225e1353fc0496b543a93abef192351ea11e250562ab18

SHA512
91c8154a5240a75ae925b8475a5259490c3e0739e57ee65024560ed0f480c9204b1dde6f96908ecbd36e7f21e70344c0b27756505bfdac898984c65ba07794cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2030b35-76c1-4e5e-b73c-01eced428f38.vbs

Filesize
714B

MD5
a0e298061082d7e36205c14f16b5d0ae

SHA1
a33d857f6ba8c97877b99c66d875112c91edd97f

SHA256
2f6e99f9b1a69b486926e07858c6f6d2ea4057ca79e9443f337398555a010e6f

SHA512
03664a71db8c137ba6bf03db1bffa39a97cc8568461d55eba04ce5ba2605c280dd6c1763ed43f8148d271aacdb5f97034882bd0a6e028d0a10f7ab707a5c4616

Download Submit
C:\Users\Admin\AppData\Local\Temp\f44a9a6a-5283-43ec-97ec-4dec2abd765c.vbs

Filesize
714B

MD5
2246e3558db13ab3e0e5b1ea0bf25a55

SHA1
f7ac073a6ce9266349c364d938ba6283282e2733

SHA256
30b839e2dd3b50a6885a89a6067ac9cdd01f3a695bc08ec6922d8b1b930a8d13

SHA512
b7b6cbb4d5c2c2049031ae449337c144dad0d426a67fe0a681eac1d897a1dab2ae4b200843b62a42a74ab73990997aaf31fe4e6e28832a114c21c52f04c6b614

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7EX730KZUEFXS1TSWPZ3.temp

Filesize
7KB

MD5
7d6b8678eacdd406325066adf0b6ccdc

SHA1
9363bac4b2a13e726dbb792085a286defc4cdf11

SHA256
35eda18fc79bfe26aadf818fbdfc9d392b4f279e02e62e16423aa660502b3306

SHA512
9edb22b05c060e7237ac60d2ca8f8b6d2a5ab9017f447804217cff3503f13dd6a1a3359b871d1f92b43dee1b71e9d7e320d030ad7b9c98c191aedcca86cba7cd

Download Submit
memory/1144-249-0x00000000012D0000-0x00000000015B6000-memory.dmp

Filesize
2.9MB

Download
memory/1228-345-0x0000000000B00000-0x0000000000DE6000-memory.dmp

Filesize
2.9MB

Download
memory/1236-237-0x0000000001060000-0x0000000001346000-memory.dmp

Filesize
2.9MB

Download
memory/1424-306-0x0000000001310000-0x00000000015F6000-memory.dmp

Filesize
2.9MB

Download
memory/1424-307-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/2240-226-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/2240-203-0x0000000000A50000-0x0000000000D36000-memory.dmp

Filesize
2.9MB

Download
memory/2280-22-0x000000001AE00000-0x000000001AE0C000-memory.dmp

Filesize
48KB

Download
memory/2280-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-8-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/2280-7-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/2280-6-0x00000000007F0000-0x0000000000806000-memory.dmp

Filesize
88KB

Download
memory/2280-25-0x000000001AF80000-0x000000001AF8C000-memory.dmp

Filesize
48KB

Download
memory/2280-5-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/2280-1-0x0000000000160000-0x0000000000446000-memory.dmp

Filesize
2.9MB

Download
memory/2280-24-0x000000001AF70000-0x000000001AF7A000-memory.dmp

Filesize
40KB

Download
memory/2280-11-0x000000001AF20000-0x000000001AF76000-memory.dmp

Filesize
344KB

Download
memory/2280-207-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-23-0x000000001AE10000-0x000000001AE18000-memory.dmp

Filesize
32KB

Download
memory/2280-10-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/2280-4-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/2280-21-0x000000001AD70000-0x000000001AD7E000-memory.dmp

Filesize
56KB

Download
memory/2280-20-0x000000001AD60000-0x000000001AD68000-memory.dmp

Filesize
32KB

Download
memory/2280-19-0x000000001A8A0000-0x000000001A8AE000-memory.dmp

Filesize
56KB

Download
memory/2280-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/2280-3-0x00000000007A0000-0x00000000007BC000-memory.dmp

Filesize
112KB

Download
memory/2280-18-0x000000001A890000-0x000000001A89A000-memory.dmp

Filesize
40KB

Download
memory/2280-12-0x00000000008D0000-0x00000000008DC000-memory.dmp

Filesize
48KB

Download
memory/2280-17-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/2280-16-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2280-15-0x0000000000900000-0x0000000000912000-memory.dmp

Filesize
72KB

Download
memory/2280-14-0x00000000008F0000-0x00000000008FC000-memory.dmp

Filesize
48KB

Download
memory/2280-9-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/2280-13-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/2432-320-0x0000000002140000-0x0000000002152000-memory.dmp

Filesize
72KB

Download
memory/2432-319-0x00000000003D0000-0x00000000006B6000-memory.dmp

Filesize
2.9MB

Download
memory/2468-200-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2468-202-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2520-332-0x0000000000940000-0x0000000000C26000-memory.dmp

Filesize
2.9MB

Download
memory/2520-333-0x0000000000930000-0x0000000000942000-memory.dmp

Filesize
72KB

Download
memory/2612-283-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download