dcrat | eb17c2c4b3df22786ba8b79d6a9e3c5163d9b52bd679153a43072df8b3226a73

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Size

2.9MB
MD5

28dd3f281832306f3fda43ca4b66f0d0
SHA1

c2dc92ba919c2b7b2bbae0727ba147c4d72a5e6f
SHA256

eb17c2c4b3df22786ba8b79d6a9e3c5163d9b52bd679153a43072df8b3226a73
SHA512

77397abe12a824511334543f27ce22003850de8610ed304b03687ed91979f63357fe786db46aedcf60d9d4c4ec428e80563151054358e31186664ffc1ac4474b
SSDEEP

49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2532	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2532	schtasks.exe	28

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2500-1-0x0000000000DF0000-0x00000000010D6000-memory.dmp	dcrat
behavioral1/files/0x0006000000014b1c-34.dat	dcrat
behavioral1/files/0x000a000000013f2c-92.dat	dcrat
behavioral1/memory/1648-261-0x0000000001280000-0x0000000001566000-memory.dmp	dcrat
behavioral1/memory/2368-285-0x00000000001E0000-0x00000000004C6000-memory.dmp	dcrat
behavioral1/memory/952-299-0x0000000000C30000-0x0000000000F16000-memory.dmp	dcrat
behavioral1/memory/1788-311-0x0000000001330000-0x0000000001616000-memory.dmp	dcrat
behavioral1/memory/1668-334-0x00000000002E0000-0x00000000005C6000-memory.dmp	dcrat
behavioral1/memory/3000-346-0x0000000000A50000-0x0000000000D36000-memory.dmp	dcrat
behavioral1/memory/1888-358-0x0000000001390000-0x0000000001676000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2788	powershell.exe
2076	powershell.exe
2280	powershell.exe
384	powershell.exe
788	powershell.exe
1408	powershell.exe
2252	powershell.exe
2084	powershell.exe
552	powershell.exe
1116	powershell.exe
1440	powershell.exe
2208	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1648	winlogon.exe
2708	winlogon.exe
2368	winlogon.exe
952	winlogon.exe
1788	winlogon.exe
2344	winlogon.exe
1668	winlogon.exe
3000	winlogon.exe
1888	winlogon.exe
1952	winlogon.exe
1116	winlogon.exe
2084	winlogon.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Office14\lsm.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\wininit.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\56085415360792	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\c5b4cb5e9653cc	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\winlogon.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCX23DC.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\lsm.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\Office14\lsm.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\RCX18B0.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCX1D63.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\wininit.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCX27E3.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\services.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\services.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCX21D8.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\Office14\101b941d020240	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\winlogon.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\cc11b995f2a76d	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\it-IT\lsm.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\it-IT\101b941d020240	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Windows\it-IT\1b5c79423e1d64	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\it-IT\RCX386F.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\it-IT\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1996	schtasks.exe
1724	schtasks.exe
2880	schtasks.exe
2168	schtasks.exe
2516	schtasks.exe
2116	schtasks.exe
324	schtasks.exe
988	schtasks.exe
2448	schtasks.exe
488	schtasks.exe
1596	schtasks.exe
1252	schtasks.exe
1816	schtasks.exe
380	schtasks.exe
2176	schtasks.exe
1512	schtasks.exe
1872	schtasks.exe
2316	schtasks.exe
2192	schtasks.exe
1792	schtasks.exe
1932	schtasks.exe
1728	schtasks.exe
900	schtasks.exe
1012	schtasks.exe
1644	schtasks.exe
2704	schtasks.exe
2644	schtasks.exe
1928	schtasks.exe
3016	schtasks.exe
2968	schtasks.exe
2508	schtasks.exe
2484	schtasks.exe
3056	schtasks.exe
2828	schtasks.exe
1568	schtasks.exe
892	schtasks.exe
1860	schtasks.exe
1960	schtasks.exe
552	schtasks.exe
2264	schtasks.exe
1096	schtasks.exe
2912	schtasks.exe
2188	schtasks.exe
1556	schtasks.exe
2064	schtasks.exe
1412	schtasks.exe
2384	schtasks.exe
1952	schtasks.exe
796	schtasks.exe
2456	schtasks.exe
2440	schtasks.exe
2220	schtasks.exe
1752	schtasks.exe
1848	schtasks.exe
2356	schtasks.exe
2536	schtasks.exe
2124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
2076	powershell.exe
2208	powershell.exe
2084	powershell.exe
1116	powershell.exe
2252	powershell.exe
2280	powershell.exe
552	powershell.exe
1408	powershell.exe
788	powershell.exe
384	powershell.exe
2788	powershell.exe
1440	powershell.exe
1648	winlogon.exe
2708	winlogon.exe
2368	winlogon.exe
952	winlogon.exe
1788	winlogon.exe
2344	winlogon.exe
1668	winlogon.exe
3000	winlogon.exe
1888	winlogon.exe
1952	winlogon.exe
1116	winlogon.exe
2084	winlogon.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1648	winlogon.exe
Token: SeDebugPrivilege	2708	winlogon.exe
Token: SeDebugPrivilege	2368	winlogon.exe
Token: SeDebugPrivilege	952	winlogon.exe
Token: SeDebugPrivilege	1788	winlogon.exe
Token: SeDebugPrivilege	2344	winlogon.exe
Token: SeDebugPrivilege	1668	winlogon.exe
Token: SeDebugPrivilege	3000	winlogon.exe
Token: SeDebugPrivilege	1888	winlogon.exe
Token: SeDebugPrivilege	1952	winlogon.exe
Token: SeDebugPrivilege	1116	winlogon.exe
Token: SeDebugPrivilege	2084	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2076	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	86
PID 2500 wrote to memory of 2076	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	86
PID 2500 wrote to memory of 2076	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	86
PID 2500 wrote to memory of 2084	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	87
PID 2500 wrote to memory of 2084	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	87
PID 2500 wrote to memory of 2084	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	87
PID 2500 wrote to memory of 2280	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	88
PID 2500 wrote to memory of 2280	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	88
PID 2500 wrote to memory of 2280	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	88
PID 2500 wrote to memory of 552	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	90
PID 2500 wrote to memory of 552	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	90
PID 2500 wrote to memory of 552	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	90
PID 2500 wrote to memory of 384	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	91
PID 2500 wrote to memory of 384	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	91
PID 2500 wrote to memory of 384	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	91
PID 2500 wrote to memory of 788	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	93
PID 2500 wrote to memory of 788	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	93
PID 2500 wrote to memory of 788	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	93
PID 2500 wrote to memory of 2208	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	95
PID 2500 wrote to memory of 2208	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	95
PID 2500 wrote to memory of 2208	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	95
PID 2500 wrote to memory of 1440	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	97
PID 2500 wrote to memory of 1440	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	97
PID 2500 wrote to memory of 1440	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	97
PID 2500 wrote to memory of 1408	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	98
PID 2500 wrote to memory of 1408	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	98
PID 2500 wrote to memory of 1408	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	98
PID 2500 wrote to memory of 2252	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	99
PID 2500 wrote to memory of 2252	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	99
PID 2500 wrote to memory of 2252	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	99
PID 2500 wrote to memory of 1116	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	100
PID 2500 wrote to memory of 1116	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	100
PID 2500 wrote to memory of 1116	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	100
PID 2500 wrote to memory of 2788	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	101
PID 2500 wrote to memory of 2788	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	101
PID 2500 wrote to memory of 2788	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	101
PID 2500 wrote to memory of 1648	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	110
PID 2500 wrote to memory of 1648	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	110
PID 2500 wrote to memory of 1648	2500	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	110
PID 1648 wrote to memory of 664	1648	winlogon.exe	111
PID 1648 wrote to memory of 664	1648	winlogon.exe	111
PID 1648 wrote to memory of 664	1648	winlogon.exe	111
PID 1648 wrote to memory of 2628	1648	winlogon.exe	112
PID 1648 wrote to memory of 2628	1648	winlogon.exe	112
PID 1648 wrote to memory of 2628	1648	winlogon.exe	112
PID 664 wrote to memory of 2708	664	WScript.exe	113
PID 664 wrote to memory of 2708	664	WScript.exe	113
PID 664 wrote to memory of 2708	664	WScript.exe	113
PID 2708 wrote to memory of 2864	2708	winlogon.exe	114
PID 2708 wrote to memory of 2864	2708	winlogon.exe	114
PID 2708 wrote to memory of 2864	2708	winlogon.exe	114
PID 2708 wrote to memory of 1432	2708	winlogon.exe	115
PID 2708 wrote to memory of 1432	2708	winlogon.exe	115
PID 2708 wrote to memory of 1432	2708	winlogon.exe	115
PID 2864 wrote to memory of 2368	2864	WScript.exe	116
PID 2864 wrote to memory of 2368	2864	WScript.exe	116
PID 2864 wrote to memory of 2368	2864	WScript.exe	116
PID 2368 wrote to memory of 2696	2368	winlogon.exe	117
PID 2368 wrote to memory of 2696	2368	winlogon.exe	117
PID 2368 wrote to memory of 2696	2368	winlogon.exe	117
PID 2368 wrote to memory of 2028	2368	winlogon.exe	118
PID 2368 wrote to memory of 2028	2368	winlogon.exe	118
PID 2368 wrote to memory of 2028	2368	winlogon.exe	118
PID 2696 wrote to memory of 952	2696	WScript.exe	121

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
  "C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a47a8e4-070b-4108-ab1c-ae0cffc4fedd.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
      C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2708
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d7d807c-8128-4bd1-9ed0-17c8c03b7ec9.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb38a95e-d338-4799-b91f-8379f3354415.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68e56664-de33-4b64-9b5e-1cdfc0bf2ebd.vbs"
        9⤵
        
        PID:2352
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64944bb5-6bc8-40e9-9dfc-3e9029a4420c.vbs"
        11⤵
        
        PID:1964
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d0deaae-97bd-4c34-a492-d1d410cfb37d.vbs"
        13⤵
        
        PID:2652
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eb1b9d6-918d-48a1-965e-63fd5a113f8f.vbs"
        15⤵
        
        PID:412
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\396731c4-c8cf-4ac8-a9ee-d3fdae27f41c.vbs"
        17⤵
        
        PID:2192
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b0ba7d-3041-4af4-a0a4-0df57a2e0d02.vbs"
        19⤵
        
        PID:1900
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d289e426-bb9f-42dd-88f5-c8a86415f75b.vbs"
        21⤵
        
        PID:2120
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d60d27cd-0b9d-429d-963c-4295c63b2e90.vbs"
        23⤵
        
        PID:2132
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        
        C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b283d39-3511-4f6e-b36f-b923cc2a0d0f.vbs"
        25⤵
        
        PID:1848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5ab5f51-791f-4a00-ba7e-7d7a457fbc0f.vbs"
        25⤵
        
        PID:2824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c06d1d8-759c-48f1-bfaf-543aa143de60.vbs"
        23⤵
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8691561-abdb-45fd-81d0-96060b502ad3.vbs"
        21⤵
        
        PID:1404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d17f664-e4ec-4a9c-8ded-1d15d95355e9.vbs"
        19⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c88c251-300f-4a15-87dd-91396d673f93.vbs"
        17⤵
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79b02865-dff6-4496-af94-923507046611.vbs"
        15⤵
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\268bf69d-49cd-46a5-b7b4-5b9eec184e9d.vbs"
        13⤵
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69cc2ae3-2ec5-4d3f-bf27-4e3e3db2d742.vbs"
        11⤵
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c25ea70-7e0f-4abd-91a0-8ad780c8bad1.vbs"
        9⤵
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4af3ded-50ba-4bbb-8ca4-cb4384b6eb15.vbs"
        7⤵
        
        PID:2028
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6791ea5e-bf6a-4897-a40b-edbdda7cf5b2.vbs"
        5⤵
        
        PID:1432
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e83b194-238b-4d5b-8bcb-eb79ee12cea4.vbs"
    3⤵
    PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\it-IT\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics2" /sc MINUTE /mo 9 /tr "'C:\Users\Public\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Public\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics2" /sc MINUTE /mo 11 /tr "'C:\Users\Public\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics2" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Windows\it-IT\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics2" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Links\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\winlogon.exe

Filesize
2.9MB

MD5
28dd3f281832306f3fda43ca4b66f0d0

SHA1
c2dc92ba919c2b7b2bbae0727ba147c4d72a5e6f

SHA256
eb17c2c4b3df22786ba8b79d6a9e3c5163d9b52bd679153a43072df8b3226a73

SHA512
77397abe12a824511334543f27ce22003850de8610ed304b03687ed91979f63357fe786db46aedcf60d9d4c4ec428e80563151054358e31186664ffc1ac4474b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e83b194-238b-4d5b-8bcb-eb79ee12cea4.vbs

Filesize
513B

MD5
40cd9376c60b645c1655822d8aaf372a

SHA1
fb601130de7686fac8ec5b84234dc0d2481d5a93

SHA256
7c70e3149189c21d7f99733255b553d6c9923d6cc4049db3fb06a4f155188def

SHA512
c694c0ef4a4f679db3cc8ca4ad2815a9df93101be6d8d34725ba8b2f8a8db910fa7cd8ee0c6fdf1782e8cf9446431a97fb391a73f1c73ced9e2b26ad90b8686b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a47a8e4-070b-4108-ab1c-ae0cffc4fedd.vbs

Filesize
737B

MD5
ba029cd59b55ea8063f864fe643084f9

SHA1
59e52ca297363b836f057815b2559bb56337942d

SHA256
773a2fa8f232abd8ced4d6b2a8ad6bd8db048bf132980c8effd056ad1c9b42fc

SHA512
05881fb0ecf0010cb31c7a70d6ff62e9737d3de733b97454f854a6c360aa956eb3d3608f34688ce791dd77c23ea324dc4e6e25ba2619017af085981ef7437f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d0deaae-97bd-4c34-a492-d1d410cfb37d.vbs

Filesize
737B

MD5
3b83862ba424500dcf896718279c4444

SHA1
14d10b146403ee61fd5eca1842c361260932eeb3

SHA256
d409d6ed97ce77362bb58a3d7083db5f88599fe17e1e1556377b3414b367f88f

SHA512
9955a8a97e1c6fa5bfab8aa9f7665728e7a09da82e9871fcb5cc1b4e6f980977ef8edca844e39b626ea01e41d216c59f93686abd53062412537022365fedeff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\396731c4-c8cf-4ac8-a9ee-d3fdae27f41c.vbs

Filesize
737B

MD5
e5e9f4d81864b00ea6733adf61445831

SHA1
9d1a76b22ef4bdc10b42fc50db94d86a1f2353f6

SHA256
6d8f53bac92a544a6af89227e75777491a65a7a8953ee02e86f0df8184cdc50f

SHA512
795d99e52700b7d46385aca80cddfd0a112b02ea082008928942daf58024a0111b3bc8c2ea7e844304e87e243e3d91faf44565fcc5207ab67fafadb69d699a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\3eb1b9d6-918d-48a1-965e-63fd5a113f8f.vbs

Filesize
737B

MD5
833669754b63520badfd03c5cc720a08

SHA1
699f655b21b35e355fa4073f470bf3f4b82d7ade

SHA256
2f4c60c5fc63cca67e718a88da51c555ed608fa91f08481263a49402c1fcd354

SHA512
8ab3b50d3598f1262c4037ddd58487d9a7879b3b0a1de204a67f5bdeb20766338a3e0d3b4a8bc4d4c4ae1c588357e321ce8f9ab35463440b27bef83ffa1d328e

Download Submit
C:\Users\Admin\AppData\Local\Temp\64944bb5-6bc8-40e9-9dfc-3e9029a4420c.vbs

Filesize
737B

MD5
24bfe8c5d15c0b269292eab4eca9adc0

SHA1
ca207e12025e0b83bc839a7208c1d4eca490adf8

SHA256
0023901ba3d6e918b95f2ab042b8a04a3351092dfa06fdfbe2df0f95dc4499ea

SHA512
7ec4bf4c381b6e2af7ccbe331ad5216756b4f1bf460da31b075ed6c036c11c06b3aa118aa60a721d0064e6d90129117012b00bbe949fd42cfac142e9cfebeceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\68e56664-de33-4b64-9b5e-1cdfc0bf2ebd.vbs

Filesize
736B

MD5
31aa2a0ff5d0abfe62cdf848d72aea01

SHA1
f45838f3142716c0b75d9e11671224749b177eab

SHA256
0c2daa61c645e3ef14db726d448465e8884ec4397dd4258a836840f9a2094de6

SHA512
9c7c46e9e6d06d5a481268d7346a747fc04406260e3b91d6fa60b2d1924225442b66363aac7ce330cb70749975bd26baf0f331a5805e1cede514be545b8bf72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b283d39-3511-4f6e-b36f-b923cc2a0d0f.vbs

Filesize
737B

MD5
d98092d146e0eabb04709754cb745ae0

SHA1
effd44d6147c0823b37a15e6f56135bed2ecb463

SHA256
a0bdc49e783309b3f8f0760189ca1474d71842979b44188e20fef4bb390a3071

SHA512
130f7a837ea3ef90c8d35e9772d91622069618bf6ee812660fc045def12755d3f9ebd40d68996d0a79a035738a674f3f9a5289b306d893031506d0aa1c786f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d7d807c-8128-4bd1-9ed0-17c8c03b7ec9.vbs

Filesize
737B

MD5
7f50c27b20922e13c847af0939a502d3

SHA1
093c59154a4bb6623d357a1abb28916c1f64473e

SHA256
84fb58b0eb86a01654c680e177555e92a6ff152fc091a3a5ce53eec2492c1d33

SHA512
e17ca856ada590050fc6c239701db7ef81d5add1dd49a2619ea679f43adbfe2e70292343ede6a1dfe5f32baf928d6fdaabb36fc962d3ba915faea04f23952750

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb38a95e-d338-4799-b91f-8379f3354415.vbs

Filesize
737B

MD5
9dc916f13a616f054a2fe126f2c6945a

SHA1
adfc6ca271087eb9177376f7cbbd57d6bd0ae03b

SHA256
9450184431d1357558c63f7ffbfdd4c142695267edfdc97c3dfd0fc146847a1c

SHA512
1008e45a0c4ae7d64ad5a254e3534fcdc54b29e414682862ef7b0b7d82d507d51d72a6fb4c844e187b74a79afae9f7bd635293758ee17d8d533213f0ee9e1fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d289e426-bb9f-42dd-88f5-c8a86415f75b.vbs

Filesize
737B

MD5
a2720c07841df315ebd29f52a564e5b6

SHA1
5d8651753fde739c591ac051aa0136f2539d951e

SHA256
dbd0a3a4bf04f2a1ebf091daac4a72b8d9cc2791f0892eb56acd74d9169cd61d

SHA512
7ba57ef0e8d45d1b7e538d1ea9ee92760b226a7666feba563861a88521fc9d6f33dee02c9a73a3cf04f065fd95e9e868c7018a8dfbd4da4b7c84250f81e3b001

Download Submit
C:\Users\Admin\AppData\Local\Temp\d60d27cd-0b9d-429d-963c-4295c63b2e90.vbs

Filesize
737B

MD5
72b8a960d10e272b2983062243afc93e

SHA1
5e37a9e35f55cca9ef23ae8bc48241ba5f13255c

SHA256
3a77b6d587621f6023ae01af267e99a35771d16949724175423298ca018a79f4

SHA512
047ed5cc3f06fb368e55030cbcd7a406a29f7185a0d079ed7269946fea38b949aebacf3394234df9482f34c79a070c270cc440850b402c0c85a955dbac944c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4b0ba7d-3041-4af4-a0a4-0df57a2e0d02.vbs

Filesize
737B

MD5
89e0744b9afcfb660dc0b462d5c56f7b

SHA1
a9e2e37ebcec50a288e73c7ae7f675b1cc4e7654

SHA256
fa4c5f590e6a5b5f3385e93548a2c0528f53e794b4ca758f2ec51997beb354c6

SHA512
2fea9c851b8afe1ee6f7f9acbdcc561cce89de2dafaabffe9190102b3fd45a4b9409046f7d67fe0731b0bcd11d0b618b70ea8614fa24b7ec6c7326bcdf89d0b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RHTQCB47C3UMJUGA74N5.temp

Filesize
7KB

MD5
cb345d563d63ab846a897f8bf3ee1f7d

SHA1
affad322abaaf2844eaaed506a034dff646bfa8b

SHA256
5b5b710b6bd61a25639e43271272c702a64839f33a89c443082fe938fc97d243

SHA512
02e3192e501ab62f9dccda982048ce2b0af167093ac174d4b7e3ee3a830bfc2f438d9e21c359be732d0e8ac0df3b5938dea8e5d4054f13046f743f601aa99420

Download Submit
C:\Users\Default\lsm.exe

Filesize
2.9MB

MD5
6428c5009c22b2dae885389d48d59f22

SHA1
9ac49095451e5ae054121387ed3e098fa5e81db4

SHA256
7246b77d4cf5137490a73614730d9dddb15eedb2d584d3799dca3d780c671ad6

SHA512
4f86ad0f2e04c3505c99bf34d014b0be6a6ff20609cc9864cc3ef94360f2ad4d0c91a50b797c023bae0867c57ead3cea63e27c3b841789eb47d3b9378c049e20

Download Submit
memory/952-299-0x0000000000C30000-0x0000000000F16000-memory.dmp

Filesize
2.9MB

Download
memory/1116-383-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1116-382-0x0000000000BD0000-0x0000000000C26000-memory.dmp

Filesize
344KB

Download
memory/1648-261-0x0000000001280000-0x0000000001566000-memory.dmp

Filesize
2.9MB

Download
memory/1668-334-0x00000000002E0000-0x00000000005C6000-memory.dmp

Filesize
2.9MB

Download
memory/1788-311-0x0000000001330000-0x0000000001616000-memory.dmp

Filesize
2.9MB

Download
memory/1888-358-0x0000000001390000-0x0000000001676000-memory.dmp

Filesize
2.9MB

Download
memory/1952-370-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2076-223-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2076-222-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2368-287-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2368-286-0x0000000002220000-0x0000000002276000-memory.dmp

Filesize
344KB

Download
memory/2368-285-0x00000000001E0000-0x00000000004C6000-memory.dmp

Filesize
2.9MB

Download
memory/2500-15-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/2500-8-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2500-17-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/2500-262-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-13-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/2500-12-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2500-1-0x0000000000DF0000-0x00000000010D6000-memory.dmp

Filesize
2.9MB

Download
memory/2500-11-0x00000000004F0000-0x0000000000546000-memory.dmp

Filesize
344KB

Download
memory/2500-16-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2500-25-0x0000000002570000-0x000000000257C000-memory.dmp

Filesize
48KB

Download
memory/2500-24-0x0000000002560000-0x000000000256A000-memory.dmp

Filesize
40KB

Download
memory/2500-10-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/2500-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

Filesize
4KB

Download
memory/2500-9-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/2500-23-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/2500-14-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/2500-7-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2500-22-0x0000000002540000-0x000000000254C000-memory.dmp

Filesize
48KB

Download
memory/2500-6-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2500-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-5-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2500-21-0x0000000002530000-0x000000000253E000-memory.dmp

Filesize
56KB

Download
memory/2500-4-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2500-20-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2500-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2500-19-0x0000000002510000-0x000000000251E000-memory.dmp

Filesize
56KB

Download
memory/2500-18-0x0000000002500000-0x000000000250A000-memory.dmp

Filesize
40KB

Download
memory/2708-273-0x0000000001230000-0x0000000001286000-memory.dmp

Filesize
344KB

Download
memory/3000-346-0x0000000000A50000-0x0000000000D36000-memory.dmp

Filesize
2.9MB

Download