Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 22:09
Behavioral task
behavioral1
Sample
1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe
-
Size
20KB
-
MD5
1d2047e2b82e3a6362c9b6b72f405c30
-
SHA1
78d2e802568f37757c731443a11aea1ca17fc9e1
-
SHA256
0e90a3fb1722c7dbc684ff259cb2657a84d06c4bc21bce02c372fab639aa6c1e
-
SHA512
e2a9845c16ff1e49962b86ea580ea79bbd141be0e441c62ead7d8c893f0ed323fa91170bc0990e5b7a30549fb8c4ffda82f9a96583ea8a76a03cb2672e421bda
-
SSDEEP
384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh59mUhlthLzK:g5BOFKksO1mE9B77777J77c77c77c71W
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" 1D6600A.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" 1D6600ASSQZSV.exe -
Executes dropped EXE 5 IoCs
pid Process 3080 1D6600A.exe 4012 1D6600ASSQZSV.exe 2524 1D6600ASSQZSV.exe 2392 1D6600A.exe 1268 1D6600A.exe -
resource yara_rule behavioral2/memory/3324-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x00070000000233fc-7.dat upx behavioral2/memory/3080-10-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x00080000000233f7-9.dat upx behavioral2/memory/2524-24-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/2392-29-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/1268-35-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3324-37-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-39-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-38-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-40-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-41-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-43-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-42-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-45-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-44-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-46-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-47-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-48-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-49-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-50-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-51-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-53-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-52-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-55-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-54-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-57-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-56-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-59-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-58-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-60-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-61-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-62-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-63-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-64-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-65-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4012-67-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3080-66-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" 1D6600A.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" 1D6600ASSQZSV.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\1D6600A.exe 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe File opened for modification C:\Windows\1D6600ASSQZSV.exe 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe -
Kills process with taskkill 42 IoCs
pid Process 2408 TASKKILL.exe 5088 TASKKILL.exe 2156 TASKKILL.exe 5056 TASKKILL.exe 3836 TASKKILL.exe 2700 TASKKILL.exe 1532 TASKKILL.exe 2132 TASKKILL.exe 1164 TASKKILL.exe 436 TASKKILL.exe 3760 TASKKILL.exe 216 TASKKILL.exe 3104 TASKKILL.exe 1808 TASKKILL.exe 3880 TASKKILL.exe 2116 TASKKILL.exe 4844 TASKKILL.exe 2904 TASKKILL.exe 1292 TASKKILL.exe 3996 TASKKILL.exe 1572 TASKKILL.exe 2656 TASKKILL.exe 4148 TASKKILL.exe 4380 TASKKILL.exe 3464 TASKKILL.exe 5112 TASKKILL.exe 752 TASKKILL.exe 4664 TASKKILL.exe 1688 TASKKILL.exe 1052 TASKKILL.exe 2004 TASKKILL.exe 3164 TASKKILL.exe 3132 TASKKILL.exe 3968 TASKKILL.exe 4640 TASKKILL.exe 4576 TASKKILL.exe 4392 TASKKILL.exe 3532 TASKKILL.exe 1584 TASKKILL.exe 208 TASKKILL.exe 4856 TASKKILL.exe 4920 TASKKILL.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 5056 TASKKILL.exe Token: SeDebugPrivilege 4856 TASKKILL.exe Token: SeDebugPrivilege 4664 TASKKILL.exe Token: SeDebugPrivilege 3836 TASKKILL.exe Token: SeDebugPrivilege 2132 TASKKILL.exe Token: SeDebugPrivilege 5112 TASKKILL.exe Token: SeDebugPrivilege 4576 TASKKILL.exe Token: SeDebugPrivilege 752 TASKKILL.exe Token: SeDebugPrivilege 1164 TASKKILL.exe Token: SeDebugPrivilege 3880 TASKKILL.exe Token: SeDebugPrivilege 3464 TASKKILL.exe Token: SeDebugPrivilege 436 TASKKILL.exe Token: SeDebugPrivilege 3968 TASKKILL.exe Token: SeDebugPrivilege 4640 TASKKILL.exe Token: SeDebugPrivilege 2700 TASKKILL.exe Token: SeDebugPrivilege 1572 TASKKILL.exe Token: SeDebugPrivilege 2656 TASKKILL.exe Token: SeDebugPrivilege 1808 TASKKILL.exe Token: SeDebugPrivilege 3104 TASKKILL.exe Token: SeDebugPrivilege 5088 TASKKILL.exe Token: SeDebugPrivilege 3996 TASKKILL.exe Token: SeDebugPrivilege 3132 TASKKILL.exe Token: SeDebugPrivilege 2156 TASKKILL.exe Token: SeDebugPrivilege 2004 TASKKILL.exe Token: SeDebugPrivilege 2904 TASKKILL.exe Token: SeDebugPrivilege 1292 TASKKILL.exe Token: SeDebugPrivilege 208 TASKKILL.exe Token: SeDebugPrivilege 1052 TASKKILL.exe Token: SeDebugPrivilege 4148 TASKKILL.exe Token: SeDebugPrivilege 4844 TASKKILL.exe Token: SeDebugPrivilege 3164 TASKKILL.exe Token: SeDebugPrivilege 4392 TASKKILL.exe Token: SeDebugPrivilege 2116 TASKKILL.exe Token: SeDebugPrivilege 1532 TASKKILL.exe Token: SeDebugPrivilege 3760 TASKKILL.exe Token: SeDebugPrivilege 1584 TASKKILL.exe Token: SeDebugPrivilege 1688 TASKKILL.exe Token: SeDebugPrivilege 216 TASKKILL.exe Token: SeDebugPrivilege 2408 TASKKILL.exe Token: SeDebugPrivilege 3532 TASKKILL.exe Token: SeDebugPrivilege 4380 TASKKILL.exe Token: SeDebugPrivilege 4920 TASKKILL.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 3080 1D6600A.exe 4012 1D6600ASSQZSV.exe 2524 1D6600ASSQZSV.exe 2392 1D6600A.exe 1268 1D6600A.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3324 wrote to memory of 3464 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 81 PID 3324 wrote to memory of 3464 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 81 PID 3324 wrote to memory of 3464 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 81 PID 3324 wrote to memory of 4664 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 82 PID 3324 wrote to memory of 4664 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 82 PID 3324 wrote to memory of 4664 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 82 PID 3324 wrote to memory of 752 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 83 PID 3324 wrote to memory of 752 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 83 PID 3324 wrote to memory of 752 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 83 PID 3324 wrote to memory of 2132 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 84 PID 3324 wrote to memory of 2132 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 84 PID 3324 wrote to memory of 2132 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 84 PID 3324 wrote to memory of 2004 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 85 PID 3324 wrote to memory of 2004 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 85 PID 3324 wrote to memory of 2004 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 85 PID 3324 wrote to memory of 5112 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 86 PID 3324 wrote to memory of 5112 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 86 PID 3324 wrote to memory of 5112 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 86 PID 3324 wrote to memory of 3836 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 87 PID 3324 wrote to memory of 3836 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 87 PID 3324 wrote to memory of 3836 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 87 PID 3324 wrote to memory of 4576 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 88 PID 3324 wrote to memory of 4576 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 88 PID 3324 wrote to memory of 4576 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 88 PID 3324 wrote to memory of 436 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 89 PID 3324 wrote to memory of 436 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 89 PID 3324 wrote to memory of 436 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 89 PID 3324 wrote to memory of 1164 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 90 PID 3324 wrote to memory of 1164 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 90 PID 3324 wrote to memory of 1164 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 90 PID 3324 wrote to memory of 4640 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 91 PID 3324 wrote to memory of 4640 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 91 PID 3324 wrote to memory of 4640 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 91 PID 3324 wrote to memory of 5056 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 92 PID 3324 wrote to memory of 5056 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 92 PID 3324 wrote to memory of 5056 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 92 PID 3324 wrote to memory of 4856 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 93 PID 3324 wrote to memory of 4856 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 93 PID 3324 wrote to memory of 4856 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 93 PID 3324 wrote to memory of 1572 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 94 PID 3324 wrote to memory of 1572 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 94 PID 3324 wrote to memory of 1572 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 94 PID 3324 wrote to memory of 3080 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 98 PID 3324 wrote to memory of 3080 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 98 PID 3324 wrote to memory of 3080 3324 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 98 PID 3080 wrote to memory of 3996 3080 1D6600A.exe 110 PID 3080 wrote to memory of 3996 3080 1D6600A.exe 110 PID 3080 wrote to memory of 3996 3080 1D6600A.exe 110 PID 3080 wrote to memory of 3968 3080 1D6600A.exe 111 PID 3080 wrote to memory of 3968 3080 1D6600A.exe 111 PID 3080 wrote to memory of 3968 3080 1D6600A.exe 111 PID 3080 wrote to memory of 3880 3080 1D6600A.exe 112 PID 3080 wrote to memory of 3880 3080 1D6600A.exe 112 PID 3080 wrote to memory of 3880 3080 1D6600A.exe 112 PID 3080 wrote to memory of 1808 3080 1D6600A.exe 113 PID 3080 wrote to memory of 1808 3080 1D6600A.exe 113 PID 3080 wrote to memory of 1808 3080 1D6600A.exe 113 PID 3080 wrote to memory of 2156 3080 1D6600A.exe 114 PID 3080 wrote to memory of 2156 3080 1D6600A.exe 114 PID 3080 wrote to memory of 2156 3080 1D6600A.exe 114 PID 3080 wrote to memory of 1052 3080 1D6600A.exe 115 PID 3080 wrote to memory of 1052 3080 1D6600A.exe 115 PID 3080 wrote to memory of 1052 3080 1D6600A.exe 115 PID 3080 wrote to memory of 5088 3080 1D6600A.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\1D6600A.exeC:\Windows\1D6600A.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\1D6600ASSQZSV.exeC:\Windows\1D6600ASSQZSV.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4012 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\1D6600ASSQZSV.exeC:\Windows\1D6600ASSQZSV.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Windows\1D6600A.exeC:\Windows\1D6600A.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2392
-
-
-
C:\Windows\1D6600A.exeC:\Windows\1D6600A.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD580c6d202d1baa4e47c68c299e02a5b83
SHA1a2dce074163bed60d4c9ee548135c3ddd6c39307
SHA256d1cd4f0b72ba3fc5c2e2ef0e42fa080490ef61b195a6a9a927fecd4013b48efa
SHA51207f1f171caed67fe45218b7bbff93ced98d20a8f4222aad829d0b519d2d1855bc054fe90ea78a3fb26873502d9139fb04b90f977a41943df562de4c12f99b1f2
-
Filesize
20KB
MD5d5df33021ae9d196431bbf2f9498ebbd
SHA107adb50306b248d7f2286ac9efb7a9b298fa5438
SHA256935bdc794957a925b277f57e9bcdea37447d178b7138bc8395122f9850ced70f
SHA5125c2c9b86beb413a77e579866bc35e428e29396cd71e26c4d7d0651e21e038f048d0253c96981ae79087495260e35219ab2909dee52634c6a6fc61286f6a4d4e3