Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 05:21
Behavioral task
behavioral1
Sample
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe
-
Size
1.0MB
-
MD5
78de114aa12b3464cc3bbd2e6f6be910
-
SHA1
aaf0559466a075d400a6e35a31400bd85bd06391
-
SHA256
2714e9470dd1490f31065e4c38cfd1211786d0a299b7896c192fc369a6e1f6f9
-
SHA512
a60eccf0d61bf14657fccec0b053ac32437d18cad4bea8c7bfbec72e8ff2401a28c6fed8380e95fbc7faa18dfcec7751552ad25f4218695c1525b29cde8bab88
-
SSDEEP
12288:vubxAa9sUFxZ8oq7URPvyKBozWeL+vSgmtjJcDVrCTZSXlVB0mGEB0aNN/cPUeWl:w9sUFxZq7URPt6RL6nBrEZUjGE/L8YZ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 728 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2616 schtasks.exe -
Processes:
taskhost.exe78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe -
Processes:
resource yara_rule behavioral1/memory/1908-1-0x0000000001170000-0x0000000001282000-memory.dmp dcrat C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe dcrat C:\Windows\Setup\State\audiodg.exe dcrat C:\Windows\ServiceProfiles\NetworkService\Saved Games\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe dcrat behavioral1/memory/1704-230-0x0000000000150000-0x0000000000262000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2436 powershell.exe 1020 powershell.exe 1788 powershell.exe 2640 powershell.exe 548 powershell.exe 956 powershell.exe 584 powershell.exe 1724 powershell.exe 2816 powershell.exe 836 powershell.exe 1956 powershell.exe 2664 powershell.exe 2848 powershell.exe 2316 powershell.exe 2504 powershell.exe 1868 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
taskhost.exepid process 1704 taskhost.exe -
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exetaskhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Drops file in Program Files directory 8 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files\Windows Photo Viewer\es-ES\b75386f1303e64 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\cc11b995f2a76d 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\RCXB38B.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\RCXC0BA.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe -
Drops file in Windows directory 20 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedescription ioc process File created C:\Windows\TAPI\27d1bcfc3c54e0 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\ServiceProfiles\NetworkService\Saved Games\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\TAPI\RCXBC45.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\Setup\State\audiodg.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\Saved Games\RCXC2CE.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\security\logs\sppsvc.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\TAPI\System.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\7a0fd90576e088 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\TAPI\System.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\Setup\State\audiodg.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\ServiceProfiles\NetworkService\Saved Games\ae74dec7c7d912 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\security\logs\sppsvc.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\Setup\State\42af1c969fbb7b 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\security\logs\0a1fd5f707cd16 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\Setup\State\RCXBE49.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\Saved Games\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\RCXB7A2.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\security\logs\RCXC9D3.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe -
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 884 schtasks.exe 2320 schtasks.exe 2184 schtasks.exe 1712 schtasks.exe 1856 schtasks.exe 1468 schtasks.exe 2172 schtasks.exe 1220 schtasks.exe 2552 schtasks.exe 2408 schtasks.exe 1104 schtasks.exe 2668 schtasks.exe 3052 schtasks.exe 2708 schtasks.exe 1748 schtasks.exe 2584 schtasks.exe 1060 schtasks.exe 2672 schtasks.exe 876 schtasks.exe 3008 schtasks.exe 1832 schtasks.exe 1944 schtasks.exe 2808 schtasks.exe 576 schtasks.exe 2128 schtasks.exe 2692 schtasks.exe 2628 schtasks.exe 880 schtasks.exe 1616 schtasks.exe 1080 schtasks.exe 2460 schtasks.exe 1240 schtasks.exe 308 schtasks.exe 2196 schtasks.exe 768 schtasks.exe 2968 schtasks.exe 728 schtasks.exe 2756 schtasks.exe 2540 schtasks.exe 2156 schtasks.exe 1988 schtasks.exe 828 schtasks.exe 2292 schtasks.exe 3024 schtasks.exe 980 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2848 powershell.exe 1020 powershell.exe 2316 powershell.exe 1724 powershell.exe 548 powershell.exe 1788 powershell.exe 1956 powershell.exe 2816 powershell.exe 956 powershell.exe 1868 powershell.exe 836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exedescription pid process Token: SeDebugPrivilege 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 1704 taskhost.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.execmd.exedescription pid process target process PID 1908 wrote to memory of 2436 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2436 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2436 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1724 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1724 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1724 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2848 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2848 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2848 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2816 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2816 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2816 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 548 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 548 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 548 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 956 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 956 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 956 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2316 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2316 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2316 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2504 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2504 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2504 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 836 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 836 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 836 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1020 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1020 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1020 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1956 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1956 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1956 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1788 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1788 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1788 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 584 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 584 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 584 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2640 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2640 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2640 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2664 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2664 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 2664 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1868 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1868 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 1868 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 1908 wrote to memory of 576 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe cmd.exe PID 1908 wrote to memory of 576 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe cmd.exe PID 1908 wrote to memory of 576 1908 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe cmd.exe PID 576 wrote to memory of 1084 576 cmd.exe w32tm.exe PID 576 wrote to memory of 1084 576 cmd.exe w32tm.exe PID 576 wrote to memory of 1084 576 cmd.exe w32tm.exe PID 576 wrote to memory of 1704 576 cmd.exe taskhost.exe PID 576 wrote to memory of 1704 576 cmd.exe taskhost.exe PID 576 wrote to memory of 1704 576 cmd.exe taskhost.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
taskhost.exe78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\Saved Games\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\logs\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nMdX7E06KS.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1084
-
C:\Users\Default\Cookies\taskhost.exe"C:\Users\Default\Cookies\taskhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics7" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics7" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\security\logs\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\logs\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\security\logs\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exeFilesize
1.0MB
MD578de114aa12b3464cc3bbd2e6f6be910
SHA1aaf0559466a075d400a6e35a31400bd85bd06391
SHA2562714e9470dd1490f31065e4c38cfd1211786d0a299b7896c192fc369a6e1f6f9
SHA512a60eccf0d61bf14657fccec0b053ac32437d18cad4bea8c7bfbec72e8ff2401a28c6fed8380e95fbc7faa18dfcec7751552ad25f4218695c1525b29cde8bab88
-
C:\Users\Admin\AppData\Local\Temp\nMdX7E06KS.batFilesize
202B
MD513c9692631e89659f9f4decb4132bf54
SHA1f9dfce8563ae2e66bf2893acf8f6a29b6acf6c0d
SHA256591f8d5c21f86804008170bb57043249057b99602d827b9863657a47f68343aa
SHA512056b43529096cbc740e2315d13005b543832426d96d1ac946b113b7da9f8c590571fddae967eb0a95b3ddea0aa05d37c1b32321ddea34e35ba004aadbe666c96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5c1db75e615dc83e94142609a9b719397
SHA13c7df550e52ee6f512c5e9591f33dfbf87de0b1d
SHA25692097b80761f905737d43e0e3c914eff7d8a8a14917542bad762ddf8c313c64b
SHA512ec629b0e666cfa7084d7886f6ef51d19723f86f2d0c743ddf7f15c3f0502541eec100c6b668eb7b75cba6153b1ad152d8563e0854d5f5a0892a5d378b517f6fb
-
C:\Windows\ServiceProfiles\NetworkService\Saved Games\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exeFilesize
1.0MB
MD589ed902f48de72e255cf5c70ddfc0a08
SHA1e1a452a284b44c1d5b8144003b86d52de0b59c2d
SHA256b608468fedd47375034ade239e6fc1ba34ecfbefddfc4c7d524d5580990dbe32
SHA51213b1806c52b203d431f6f56f17ca452e726e664a1f58053a7d82ced29fae656a2971187a05375287e108354234a4f24aaa45844364458ef08d37f6c4feba408a
-
C:\Windows\Setup\State\audiodg.exeFilesize
1.0MB
MD57405dc697b92b9e475c8d7454043f0d7
SHA16c78b79a0878c0eabf10dd4e18f7d34e3dbe9394
SHA256e32154d1674f3e137fc5a9b806574a66dfbd7c602fdc59fefae7fc62b0d2b7df
SHA512ab8f9f24a49ea25521499378bc555f491664cc9d3c2ccd908d1d2d596f227aca0ad7b18c6a8d881cba539c9ce82ef88bdeb803e9a6f892af1f498eba43b0ce12
-
memory/1704-230-0x0000000000150000-0x0000000000262000-memory.dmpFilesize
1.1MB
-
memory/1724-167-0x000000001B3C0000-0x000000001B6A2000-memory.dmpFilesize
2.9MB
-
memory/1908-10-0x000007FEF5690000-0x000007FEF607C000-memory.dmpFilesize
9.9MB
-
memory/1908-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmpFilesize
4KB
-
memory/1908-7-0x00000000003C0000-0x00000000003CC000-memory.dmpFilesize
48KB
-
memory/1908-6-0x0000000000170000-0x000000000017C000-memory.dmpFilesize
48KB
-
memory/1908-5-0x0000000000160000-0x000000000016A000-memory.dmpFilesize
40KB
-
memory/1908-149-0x000007FEF5690000-0x000007FEF607C000-memory.dmpFilesize
9.9MB
-
memory/1908-4-0x0000000000150000-0x0000000000160000-memory.dmpFilesize
64KB
-
memory/1908-3-0x0000000000140000-0x0000000000148000-memory.dmpFilesize
32KB
-
memory/1908-2-0x000007FEF5690000-0x000007FEF607C000-memory.dmpFilesize
9.9MB
-
memory/1908-1-0x0000000001170000-0x0000000001282000-memory.dmpFilesize
1.1MB
-
memory/2848-198-0x0000000002370000-0x0000000002378000-memory.dmpFilesize
32KB