dcrat | eb17c2c4b3df22786ba8b79d6a9e3c5163d9b52bd679153a43072df8b3226a73

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Size

2.9MB
MD5

28dd3f281832306f3fda43ca4b66f0d0
SHA1

c2dc92ba919c2b7b2bbae0727ba147c4d72a5e6f
SHA256

eb17c2c4b3df22786ba8b79d6a9e3c5163d9b52bd679153a43072df8b3226a73
SHA512

77397abe12a824511334543f27ce22003850de8610ed304b03687ed91979f63357fe786db46aedcf60d9d4c4ec428e80563151054358e31186664ffc1ac4474b
SSDEEP

49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1316	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	1316	schtasks.exe	84

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4848-1-0x00000000001C0000-0x00000000004A6000-memory.dmp	dcrat
behavioral2/files/0x00080000000233e2-36.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4372	powershell.exe
2616	powershell.exe
4380	powershell.exe
3504	powershell.exe
1204	powershell.exe
3952	powershell.exe
4944	powershell.exe
2484	powershell.exe
1892	powershell.exe
2780	powershell.exe
4352	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 3 IoCs

pid	Process
3600	csrss.exe
4292	csrss.exe
1244	csrss.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\7a0fd90576e088	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sysmon.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RCX64A2.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\eddb19405b7ce1	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCX5710.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\SppExtComObj.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\System.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\27d1bcfc3c54e0	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\22eafd247d37c3	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\System.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\TextInputHost.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX66A6.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Multimedia Platform\explorer.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Mail\unsecapp.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sysmon.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\TextInputHost.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Mail\29c1c3cc0f7685	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Mail\RCX550B.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCX6220.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft.NET\SppExtComObj.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft.NET\e1ef82546f0b02	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\121e5b5079f7c0	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\explorer.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Mail\unsecapp.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX52F7.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX5992.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX5D9B.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\RCX4CDA.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\886983d96e3d3e	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File created	C:\Windows\GameBarPresenceWriter\55b276f4edf653	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX4EDE.tmp	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4168	schtasks.exe
4396	schtasks.exe
4728	schtasks.exe
1660	schtasks.exe
2364	schtasks.exe
1688	schtasks.exe
2028	schtasks.exe
2396	schtasks.exe
2384	schtasks.exe
1320	schtasks.exe
4536	schtasks.exe
3216	schtasks.exe
4876	schtasks.exe
4988	schtasks.exe
2612	schtasks.exe
836	schtasks.exe
4184	schtasks.exe
536	schtasks.exe
668	schtasks.exe
2140	schtasks.exe
2532	schtasks.exe
2124	schtasks.exe
2740	schtasks.exe
2416	schtasks.exe
4368	schtasks.exe
4940	schtasks.exe
3600	schtasks.exe
3516	schtasks.exe
3756	schtasks.exe
2088	schtasks.exe
532	schtasks.exe
3984	schtasks.exe
4576	schtasks.exe
2720	schtasks.exe
4112	schtasks.exe
3580	schtasks.exe
4284	schtasks.exe
4440	schtasks.exe
1524	schtasks.exe
2660	schtasks.exe
3608	schtasks.exe
2144	schtasks.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	csrss.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
4372	powershell.exe
4372	powershell.exe
2616	powershell.exe
2616	powershell.exe
2484	powershell.exe
2484	powershell.exe
4944	powershell.exe
4944	powershell.exe
3952	powershell.exe
3952	powershell.exe
1892	powershell.exe
1892	powershell.exe
2780	powershell.exe
2780	powershell.exe
4352	powershell.exe
4352	powershell.exe
3504	powershell.exe
3504	powershell.exe
1204	powershell.exe
1204	powershell.exe
4380	powershell.exe
4380	powershell.exe
2484	powershell.exe
4380	powershell.exe
1204	powershell.exe
4372	powershell.exe
4372	powershell.exe
2616	powershell.exe
2780	powershell.exe
1892	powershell.exe
3952	powershell.exe
4944	powershell.exe
4352	powershell.exe
3504	powershell.exe
3600	csrss.exe
3600	csrss.exe
4292	csrss.exe
1244	csrss.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	3600	csrss.exe
Token: SeDebugPrivilege	4292	csrss.exe
Token: SeDebugPrivilege	1244	csrss.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4944	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	127
PID 4848 wrote to memory of 4944	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	127
PID 4848 wrote to memory of 4372	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	128
PID 4848 wrote to memory of 4372	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	128
PID 4848 wrote to memory of 2484	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	129
PID 4848 wrote to memory of 2484	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	129
PID 4848 wrote to memory of 2616	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	130
PID 4848 wrote to memory of 2616	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	130
PID 4848 wrote to memory of 2780	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	131
PID 4848 wrote to memory of 2780	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	131
PID 4848 wrote to memory of 1892	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	132
PID 4848 wrote to memory of 1892	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	132
PID 4848 wrote to memory of 1204	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	133
PID 4848 wrote to memory of 1204	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	133
PID 4848 wrote to memory of 3504	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	135
PID 4848 wrote to memory of 3504	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	135
PID 4848 wrote to memory of 3952	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	137
PID 4848 wrote to memory of 3952	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	137
PID 4848 wrote to memory of 4352	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	139
PID 4848 wrote to memory of 4352	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	139
PID 4848 wrote to memory of 4380	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	141
PID 4848 wrote to memory of 4380	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	141
PID 4848 wrote to memory of 3600	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	149
PID 4848 wrote to memory of 3600	4848	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe	149
PID 3600 wrote to memory of 4308	3600	csrss.exe	150
PID 3600 wrote to memory of 4308	3600	csrss.exe	150
PID 3600 wrote to memory of 1424	3600	csrss.exe	151
PID 3600 wrote to memory of 1424	3600	csrss.exe	151
PID 4308 wrote to memory of 4292	4308	WScript.exe	159
PID 4308 wrote to memory of 4292	4308	WScript.exe	159
PID 4292 wrote to memory of 4320	4292	csrss.exe	160
PID 4292 wrote to memory of 4320	4292	csrss.exe	160
PID 4292 wrote to memory of 2684	4292	csrss.exe	161
PID 4292 wrote to memory of 2684	4292	csrss.exe	161
PID 4320 wrote to memory of 1244	4320	WScript.exe	162
PID 4320 wrote to memory of 1244	4320	WScript.exe	162
PID 1244 wrote to memory of 2208	1244	csrss.exe	163
PID 1244 wrote to memory of 2208	1244	csrss.exe	163
PID 1244 wrote to memory of 3120	1244	csrss.exe	164
PID 1244 wrote to memory of 3120	1244	csrss.exe	164

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28dd3f281832306f3fda43ca4b66f0d0_NeikiAnalytics.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe
  "C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3600
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19a5541c-9e50-4ad2-8182-642202a78455.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe
      "C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4292
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0542707-6638-4317-988a-28ffd7caf934.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6b87e45-1c90-4909-bc4c-ee255e351d10.vbs"
        7⤵
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc3289a4-46f1-4392-84bf-aa0abcea130e.vbs"
        7⤵
        
        PID:3120
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f7db0ae-e91b-4b67-89e0-576ab0a0f624.vbs"
        5⤵
        
        PID:2684
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56c425e8-4fe7-4516-bec1-4eb2fd83a08f.vbs"
    3⤵
    PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\explorer.exe

Filesize
2.9MB

MD5
28dd3f281832306f3fda43ca4b66f0d0

SHA1
c2dc92ba919c2b7b2bbae0727ba147c4d72a5e6f

SHA256
eb17c2c4b3df22786ba8b79d6a9e3c5163d9b52bd679153a43072df8b3226a73

SHA512
77397abe12a824511334543f27ce22003850de8610ed304b03687ed91979f63357fe786db46aedcf60d9d4c4ec428e80563151054358e31186664ffc1ac4474b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
32eb17ed643bdd2ac703869af8eb5877

SHA1
ab47894bcee6cfd76b7600cf4c585edb3ee519c4

SHA256
caaab6753d5658d44295a57f7616ae0c9d76b845fe68a3020d4fb9f3bade2687

SHA512
6d4231040a74bc5f8db28dcac8dd87153358346b2717f7bde7b3db240f014434b73a1d0b176dea50062230840971abd61fa48508d4310858fc3ac4b98c977304

Download Submit
C:\Users\Admin\AppData\Local\Temp\19a5541c-9e50-4ad2-8182-642202a78455.vbs

Filesize
760B

MD5
fb15ba5bda612065ba018e49421023ca

SHA1
3fb7c2d8e66445c8b91bc477a83a95b9b845fb98

SHA256
c74723034c4e187ef2f445dcff933a1912304de26b07f7c3f38a9a956194458c

SHA512
a3a7554081b21522fc1e3d797772e52249e747fdf0e26132ae642f536d37699f27680355bff3b2355330ef56975e869bdb489def1a543299b9e3fa7ac62feefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\56c425e8-4fe7-4516-bec1-4eb2fd83a08f.vbs

Filesize
536B

MD5
a309efd93b5811495c881b610abde33f

SHA1
99762df689a644033492c8a75b1965f011e899d0

SHA256
e0ab4d8e2ef361c0b48bc11a963104adc773438ed1c405e8b09e6489f5d522ad

SHA512
4cd5d7779be81c3c4429d447703a928ef6cebed2ecb06d46f2a5588cdc494666be3e8c6d6703b4ed3d7b986440efdfe42fb2586df9b66b71cf1aae1a54dd144a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2bkhgfub.epy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0542707-6638-4317-988a-28ffd7caf934.vbs

Filesize
760B

MD5
e9dbab9c61eca570f7d8f6a3458b92f9

SHA1
f808833a970e0d1554d7bb7a31d60cbad244c404

SHA256
cac988c2ece52b85429905a67e31e94fac4a737639d49a5c44cbcdf24959671e

SHA512
60585d64a0f1c036868617fd6b4df1888239b532beca326cb89c8994fd8755512f72d0814be80ce832803554455495b2d1e77425d448575b8fb6a292f9593d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6b87e45-1c90-4909-bc4c-ee255e351d10.vbs

Filesize
760B

MD5
c4dc9cab2f9426bbd3b59ae870deeca2

SHA1
9d7d5b88477c3df116d3e6edf5873c70e3e78c8c

SHA256
a4575099f120cb415de57372df633f6dea02561d2a34929cd4ab9c392a3b2991

SHA512
a0c4c1ab3f28620083495aaa24596fcc75a71e85d3c47590f59acc75fd74270457d007c53d45f04d9a05e0b348a88b9f8024cf3cf0fb7dd2447f25892db70db3

Download Submit
memory/4372-202-0x000001EE24140000-0x000001EE24162000-memory.dmp

Filesize
136KB

Download
memory/4848-7-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4848-13-0x000000001B050000-0x000000001B05C000-memory.dmp

Filesize
48KB

Download
memory/4848-14-0x000000001B0B0000-0x000000001B0B8000-memory.dmp

Filesize
32KB

Download
memory/4848-18-0x000000001B860000-0x000000001B868000-memory.dmp

Filesize
32KB

Download
memory/4848-17-0x000000001BD90000-0x000000001C2B8000-memory.dmp

Filesize
5.2MB

Download
memory/4848-22-0x000000001B8A0000-0x000000001B8A8000-memory.dmp

Filesize
32KB

Download
memory/4848-27-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

Filesize
48KB

Download
memory/4848-26-0x000000001B8E0000-0x000000001B8EA000-memory.dmp

Filesize
40KB

Download
memory/4848-25-0x000000001B8D0000-0x000000001B8D8000-memory.dmp

Filesize
32KB

Download
memory/4848-24-0x000000001B8C0000-0x000000001B8CC000-memory.dmp

Filesize
48KB

Download
memory/4848-23-0x000000001B8B0000-0x000000001B8BE000-memory.dmp

Filesize
56KB

Download
memory/4848-21-0x000000001B890000-0x000000001B89E000-memory.dmp

Filesize
56KB

Download
memory/4848-20-0x000000001B880000-0x000000001B88A000-memory.dmp

Filesize
40KB

Download
memory/4848-19-0x000000001B870000-0x000000001B878000-memory.dmp

Filesize
32KB

Download
memory/4848-16-0x000000001B830000-0x000000001B842000-memory.dmp

Filesize
72KB

Download
memory/4848-15-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

Filesize
48KB

Download
memory/4848-12-0x000000001B7E0000-0x000000001B836000-memory.dmp

Filesize
344KB

Download
memory/4848-308-0x00007FFE5BD20000-0x00007FFE5C7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4848-11-0x000000001B040000-0x000000001B04A000-memory.dmp

Filesize
40KB

Download
memory/4848-0-0x00007FFE5BD23000-0x00007FFE5BD25000-memory.dmp

Filesize
8KB

Download
memory/4848-8-0x000000001B010000-0x000000001B018000-memory.dmp

Filesize
32KB

Download
memory/4848-9-0x000000001B030000-0x000000001B038000-memory.dmp

Filesize
32KB

Download
memory/4848-10-0x000000001B020000-0x000000001B030000-memory.dmp

Filesize
64KB

Download
memory/4848-4-0x000000001B060000-0x000000001B0B0000-memory.dmp

Filesize
320KB

Download
memory/4848-5-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/4848-6-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/4848-3-0x00000000025C0000-0x00000000025DC000-memory.dmp

Filesize
112KB

Download
memory/4848-2-0x00007FFE5BD20000-0x00007FFE5C7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4848-1-0x00000000001C0000-0x00000000004A6000-memory.dmp

Filesize
2.9MB

Download