Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 05:21
Behavioral task
behavioral1
Sample
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe
-
Size
1.0MB
-
MD5
78de114aa12b3464cc3bbd2e6f6be910
-
SHA1
aaf0559466a075d400a6e35a31400bd85bd06391
-
SHA256
2714e9470dd1490f31065e4c38cfd1211786d0a299b7896c192fc369a6e1f6f9
-
SHA512
a60eccf0d61bf14657fccec0b053ac32437d18cad4bea8c7bfbec72e8ff2401a28c6fed8380e95fbc7faa18dfcec7751552ad25f4218695c1525b29cde8bab88
-
SSDEEP
12288:vubxAa9sUFxZ8oq7URPvyKBozWeL+vSgmtjJcDVrCTZSXlVB0mGEB0aNN/cPUeWl:w9sUFxZq7URPt6RL6nBrEZUjGE/L8YZ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3620 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3868 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3692 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 1940 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 1940 schtasks.exe -
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedllhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
Processes:
resource yara_rule behavioral2/memory/2688-1-0x0000000000700000-0x0000000000812000-memory.dmp dcrat C:\Users\Admin\Documents\fontdrvhost.exe dcrat C:\Program Files (x86)\Windows Defender\SppExtComObj.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3712 powershell.exe 4136 powershell.exe 4048 powershell.exe 4292 powershell.exe 4872 powershell.exe 1420 powershell.exe 5068 powershell.exe 796 powershell.exe 3068 powershell.exe 4108 powershell.exe 4052 powershell.exe 3960 powershell.exe 3572 powershell.exe 4628 powershell.exe 4360 powershell.exe 2056 powershell.exe 4688 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 5148 dllhost.exe -
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedllhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe -
Drops file in Program Files directory 37 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\29c1c3cc0f7685 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\it-IT\e1ef82546f0b02 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX5C36.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Reference Assemblies\dllhost.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\sysmon.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\SppExtComObj.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RCX632E.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Reference Assemblies\5940a34987c991 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\RCX44DA.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX48E3.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\e1ef82546f0b02 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files\WindowsApps\csrss.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\sysmon.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\RCX5723.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\SppExtComObj.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\121e5b5079f7c0 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\5940a34987c991 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX5115.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX5EA8.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\it-IT\SppExtComObj.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\RCX4AF7.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\5940a34987c991 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCX46DE.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\SppExtComObj.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\9e8d7a4ca61bd9 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\dllhost.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\dllhost.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\dllhost.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedescription ioc process File created C:\Windows\ImmersiveControlPanel\fr-FR\explorer.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\Tasks\RCX5319.tmp 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File opened for modification C:\Windows\Tasks\System.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\Tasks\System.exe 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe File created C:\Windows\Tasks\27d1bcfc3c54e0 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1416 schtasks.exe 3620 schtasks.exe 1192 schtasks.exe 3608 schtasks.exe 1992 schtasks.exe 1076 schtasks.exe 4628 schtasks.exe 5068 schtasks.exe 4404 schtasks.exe 4640 schtasks.exe 2072 schtasks.exe 4416 schtasks.exe 1220 schtasks.exe 1976 schtasks.exe 5080 schtasks.exe 3320 schtasks.exe 4136 schtasks.exe 1544 schtasks.exe 1560 schtasks.exe 4864 schtasks.exe 5096 schtasks.exe 2572 schtasks.exe 1160 schtasks.exe 2500 schtasks.exe 2284 schtasks.exe 2568 schtasks.exe 4664 schtasks.exe 3868 schtasks.exe 4344 schtasks.exe 1956 schtasks.exe 5028 schtasks.exe 1612 schtasks.exe 4828 schtasks.exe 400 schtasks.exe 4452 schtasks.exe 4768 schtasks.exe 2120 schtasks.exe 4548 schtasks.exe 1420 schtasks.exe 4688 schtasks.exe 4512 schtasks.exe 4872 schtasks.exe 4192 schtasks.exe 4364 schtasks.exe 4284 schtasks.exe 3692 schtasks.exe 1188 schtasks.exe 556 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exepid process 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedescription pid process Token: SeDebugPrivilege 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Token: SeDebugPrivilege 4292 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 4688 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 3572 powershell.exe Token: SeDebugPrivilege 3712 powershell.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeDebugPrivilege 4360 powershell.exe Token: SeDebugPrivilege 4108 powershell.exe Token: SeDebugPrivilege 796 powershell.exe Token: SeDebugPrivilege 4628 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeDebugPrivilege 4048 powershell.exe Token: SeDebugPrivilege 5148 dllhost.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.execmd.exedescription pid process target process PID 2688 wrote to memory of 4292 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4292 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 796 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 796 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 2056 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 2056 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 3960 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 3960 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 3068 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 3068 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 1420 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 1420 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4872 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4872 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 3572 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 3572 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4688 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4688 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4108 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4108 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 3712 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 3712 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4136 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4136 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4052 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4052 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4628 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4628 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4048 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4048 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 5068 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 5068 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4360 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 4360 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe powershell.exe PID 2688 wrote to memory of 3016 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe cmd.exe PID 2688 wrote to memory of 3016 2688 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe cmd.exe PID 3016 wrote to memory of 5740 3016 cmd.exe w32tm.exe PID 3016 wrote to memory of 5740 3016 cmd.exe w32tm.exe PID 3016 wrote to memory of 5148 3016 cmd.exe dllhost.exe PID 3016 wrote to memory of 5148 3016 cmd.exe dllhost.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exedllhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\78de114aa12b3464cc3bbd2e6f6be910_NeikiAnalytics.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\sysmon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\OfficeClickToRun.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4136 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HPolXykTJd.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5740
-
C:\Program Files (x86)\Reference Assemblies\dllhost.exe"C:\Program Files (x86)\Reference Assemblies\dllhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\it-IT\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Libraries\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Defender\SppExtComObj.exeFilesize
1.0MB
MD5f81a2077ff376c8e8dfc90a9cf8b22ba
SHA16f6e68474346c37b457b30086726c062ad70476e
SHA25602af5a9d132448ddfcef1d093beb1f4e80e790e3d2164a0235bdc5846816f2f6
SHA51223bbeb8dd04a35edbca12c2fdd146b19f80340e67dc5c62d8c2861b8d188106ce5ac943a677a2946059f44b336f3776a6425b8036f766b0134cce8b23895cf47
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD528d4235aa2e6d782751f980ceb6e5021
SHA1f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA2568c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
C:\Users\Admin\AppData\Local\Temp\HPolXykTJd.batFilesize
220B
MD58d1645e5c394ad66232ac8c0b2e38804
SHA1644de798173f31070135baf55e776c56af8ba4d2
SHA256c81ef0cdaa66d61dd485867abc9ea0906cd8b446bb482b27f19b151ca68a842e
SHA512f0d7c7cbb465946760660e0d52ab66ebcebbaad8c5eae9ab7308940e496b649dd41b99b3d4d8ebaebacb79875d29ef2a0a947f8eba81a26365ebce18d6722484
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gw4pffsk.tkc.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Documents\fontdrvhost.exeFilesize
1.0MB
MD578de114aa12b3464cc3bbd2e6f6be910
SHA1aaf0559466a075d400a6e35a31400bd85bd06391
SHA2562714e9470dd1490f31065e4c38cfd1211786d0a299b7896c192fc369a6e1f6f9
SHA512a60eccf0d61bf14657fccec0b053ac32437d18cad4bea8c7bfbec72e8ff2401a28c6fed8380e95fbc7faa18dfcec7751552ad25f4218695c1525b29cde8bab88
-
memory/2688-2-0x00007FF82E9E0000-0x00007FF82F4A1000-memory.dmpFilesize
10.8MB
-
memory/2688-159-0x00007FF82E9E0000-0x00007FF82F4A1000-memory.dmpFilesize
10.8MB
-
memory/2688-4-0x0000000001420000-0x0000000001430000-memory.dmpFilesize
64KB
-
memory/2688-3-0x0000000000EE0000-0x0000000000EE8000-memory.dmpFilesize
32KB
-
memory/2688-0-0x00007FF82E9E3000-0x00007FF82E9E5000-memory.dmpFilesize
8KB
-
memory/2688-16-0x00007FF82E9E0000-0x00007FF82F4A1000-memory.dmpFilesize
10.8MB
-
memory/2688-5-0x0000000001430000-0x000000000143A000-memory.dmpFilesize
40KB
-
memory/2688-1-0x0000000000700000-0x0000000000812000-memory.dmpFilesize
1.1MB
-
memory/2688-11-0x00007FF82E9E0000-0x00007FF82F4A1000-memory.dmpFilesize
10.8MB
-
memory/2688-10-0x00007FF82E9E0000-0x00007FF82F4A1000-memory.dmpFilesize
10.8MB
-
memory/2688-7-0x0000000001460000-0x000000000146C000-memory.dmpFilesize
48KB
-
memory/2688-6-0x0000000001450000-0x000000000145C000-memory.dmpFilesize
48KB
-
memory/4292-161-0x0000020628980000-0x00000206289A2000-memory.dmpFilesize
136KB