dcrat | 69913edd520ca7d5c4d8bd7a7d8fb7c69cc91c3bf9f985622b5675984162a5e9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
Size

1.0MB
MD5

6133ae6da2b0253736674baefbf9dfa0
SHA1

e3c56c57e7fc62bd44e3eb639540641bbecee044
SHA256

69913edd520ca7d5c4d8bd7a7d8fb7c69cc91c3bf9f985622b5675984162a5e9
SHA512

27cd5887c82d0dbab338b07ba2e3ac43757b9c494d8cad2f60bd4e5eb4233c7b72a1ff8352d70892593ab5fc073fac16c7605ce5f4c9175a37d95a9df635710f
SSDEEP

12288:vubxAa9sUFxZ8oq7URPvyKBozWeL+vSgmtjJcDVrCTZSXlVB0mGEB0aNN/cPUeWl:w9sUFxZq7URPt6RL6nBrEZUjGE/L8YZ

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2668	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1732-1-0x0000000000160000-0x0000000000272000-memory.dmp	dcrat
behavioral1/files/0x00060000000145c9-17.dat	dcrat
behavioral1/files/0x000c000000013a15-95.dat	dcrat
behavioral1/files/0x00080000000148af-108.dat	dcrat
behavioral1/files/0x000700000001523e-126.dat	dcrat
behavioral1/files/0x0007000000015cd8-151.dat	dcrat
behavioral1/files/0x0008000000015ced-165.dat	dcrat
behavioral1/files/0x0008000000015bb5-176.dat	dcrat
behavioral1/memory/1944-224-0x0000000000AC0000-0x0000000000BD2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1400	powershell.exe
948	powershell.exe
2892	powershell.exe
492	powershell.exe
2380	powershell.exe
292	powershell.exe
3016	powershell.exe
1652	powershell.exe
572	powershell.exe
2304	powershell.exe
2812	powershell.exe
2852	powershell.exe
1356	powershell.exe
2024	powershell.exe
1724	powershell.exe
2328	powershell.exe
2080	powershell.exe
1920	powershell.exe
532	powershell.exe
2172	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1944	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX1895.tmp	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX1F1D.tmp	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\RCX3601.tmp	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\dwm.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Defender\fr-FR\wininit.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\dwm.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\886983d96e3d3e	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\csrss.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\csrss.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\RCX2130.tmp	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Defender\fr-FR\56085415360792	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\6cb0b6c459d5d3	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\wininit.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Registration\CRMLog\dllhost.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\schemas\WCN\RCX318C.tmp	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\LiveKernelReports\System.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\Cursors\csrss.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\Registration\CRMLog\5940a34987c991	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\rescache\rc0005\csrss.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\CSC\v2.0.6\Idle.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\LiveKernelReports\27d1bcfc3c54e0	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\RCX119F.tmp	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX33FD.tmp	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\Registration\CRMLog\dllhost.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\schemas\WCN\dllhost.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\schemas\WCN\5940a34987c991	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Cursors\RCX1C9C.tmp	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Cursors\csrss.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\schemas\WCN\dllhost.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\0a1fd5f707cd16	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\Cursors\886983d96e3d3e	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\LiveKernelReports\System.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX25C4.tmp	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1144	schtasks.exe
2828	schtasks.exe
2364	schtasks.exe
1312	schtasks.exe
2224	schtasks.exe
2296	schtasks.exe
2376	schtasks.exe
1404	schtasks.exe
2444	schtasks.exe
556	schtasks.exe
1904	schtasks.exe
1976	schtasks.exe
1260	schtasks.exe
2956	schtasks.exe
1644	schtasks.exe
2156	schtasks.exe
348	schtasks.exe
2152	schtasks.exe
2324	schtasks.exe
2120	schtasks.exe
664	schtasks.exe
868	schtasks.exe
2524	schtasks.exe
2680	schtasks.exe
756	schtasks.exe
1240	schtasks.exe
2484	schtasks.exe
2800	schtasks.exe
1760	schtasks.exe
1624	schtasks.exe
2228	schtasks.exe
2836	schtasks.exe
1416	schtasks.exe
1716	schtasks.exe
396	schtasks.exe
1248	schtasks.exe
2036	schtasks.exe
2024	schtasks.exe
2840	schtasks.exe
1708	schtasks.exe
1536	schtasks.exe
1820	schtasks.exe
860	schtasks.exe
1656	schtasks.exe
3048	schtasks.exe
2384	schtasks.exe
2876	schtasks.exe
2616	schtasks.exe
2760	schtasks.exe
2620	schtasks.exe
2188	schtasks.exe
376	schtasks.exe
2576	schtasks.exe
2756	schtasks.exe
1396	schtasks.exe
3040	schtasks.exe
1932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
2380	powershell.exe
1920	powershell.exe
2892	powershell.exe
2812	powershell.exe
1652	powershell.exe
948	powershell.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1944	spoolsv.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1920	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	86
PID 1732 wrote to memory of 1920	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	86
PID 1732 wrote to memory of 1920	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	86
PID 1732 wrote to memory of 2852	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	87
PID 1732 wrote to memory of 2852	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	87
PID 1732 wrote to memory of 2852	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	87
PID 1732 wrote to memory of 2812	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	88
PID 1732 wrote to memory of 2812	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	88
PID 1732 wrote to memory of 2812	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	88
PID 1732 wrote to memory of 2304	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	90
PID 1732 wrote to memory of 2304	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	90
PID 1732 wrote to memory of 2304	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	90
PID 1732 wrote to memory of 532	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	91
PID 1732 wrote to memory of 532	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	91
PID 1732 wrote to memory of 532	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	91
PID 1732 wrote to memory of 492	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	93
PID 1732 wrote to memory of 492	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	93
PID 1732 wrote to memory of 492	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	93
PID 1732 wrote to memory of 2892	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	94
PID 1732 wrote to memory of 2892	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	94
PID 1732 wrote to memory of 2892	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	94
PID 1732 wrote to memory of 948	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	96
PID 1732 wrote to memory of 948	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	96
PID 1732 wrote to memory of 948	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	96
PID 1732 wrote to memory of 1400	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	97
PID 1732 wrote to memory of 1400	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	97
PID 1732 wrote to memory of 1400	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	97
PID 1732 wrote to memory of 572	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	99
PID 1732 wrote to memory of 572	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	99
PID 1732 wrote to memory of 572	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	99
PID 1732 wrote to memory of 1724	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	100
PID 1732 wrote to memory of 1724	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	100
PID 1732 wrote to memory of 1724	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	100
PID 1732 wrote to memory of 2080	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	101
PID 1732 wrote to memory of 2080	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	101
PID 1732 wrote to memory of 2080	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	101
PID 1732 wrote to memory of 1652	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	102
PID 1732 wrote to memory of 1652	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	102
PID 1732 wrote to memory of 1652	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	102
PID 1732 wrote to memory of 3016	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	103
PID 1732 wrote to memory of 3016	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	103
PID 1732 wrote to memory of 3016	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	103
PID 1732 wrote to memory of 2024	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	104
PID 1732 wrote to memory of 2024	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	104
PID 1732 wrote to memory of 2024	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	104
PID 1732 wrote to memory of 292	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	105
PID 1732 wrote to memory of 292	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	105
PID 1732 wrote to memory of 292	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	105
PID 1732 wrote to memory of 1356	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	106
PID 1732 wrote to memory of 1356	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	106
PID 1732 wrote to memory of 1356	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	106
PID 1732 wrote to memory of 2328	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	107
PID 1732 wrote to memory of 2328	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	107
PID 1732 wrote to memory of 2328	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	107
PID 1732 wrote to memory of 2172	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	108
PID 1732 wrote to memory of 2172	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	108
PID 1732 wrote to memory of 2172	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	108
PID 1732 wrote to memory of 2380	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	109
PID 1732 wrote to memory of 2380	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	109
PID 1732 wrote to memory of 2380	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	109
PID 1732 wrote to memory of 1944	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	126
PID 1732 wrote to memory of 1944	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	126
PID 1732 wrote to memory of 1944	1732	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe	126

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\WCN\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe
  "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics6" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\All Users\6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics6" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\WCN\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\schemas\WCN\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\WCN\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\plugins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe

Filesize
1.0MB

MD5
8eb8209fcead4dc2fec88d12cde6a4d6

SHA1
6e476d23827efd5ecd51f05eba4b83cf52e2f7f3

SHA256
caf660141f289b9353cd0645a934a2f5a9ee4efdfb67fe4bdf3aa6881feb08e7

SHA512
ca48c315131cfbc5790aa29ba44fdfcadeb783a0174e419e019b8917f4ed3f8906d70802ff59b2691426c328c2fa25a6dcff0259589ce47a0cfab212c4cad534

Download Submit
C:\Program Files\7-Zip\csrss.exe

Filesize
1.0MB

MD5
27fc2ab6b659e72372ac7213f84692cb

SHA1
aaade5be27f4cb5f90ded78d2c3da6bb2bfe847c

SHA256
bc4038100239da5468acc0c690af76969d4b27c364f22a92d1283f9755519290

SHA512
0e39d867fb3b31295ade9e7a7a1755df26beaf91e54bcf3a4e9717e8246825b4323abf4a2ab12e6dbd42f32ef540484906d66a10b93064450fbb6c28f479bb7b

Download Submit
C:\Program Files\VideoLAN\VLC\plugins\dwm.exe

Filesize
1.0MB

MD5
170237703e64e0eb6fdcabb71537b4ae

SHA1
eff79bf006c4b0cce64ab32d1d4255b83a3533f3

SHA256
342e172afde51d2384a80841e67ca3351330448951b57a84964ef105dbf97711

SHA512
5d02b92158e7b9c2124424bca5ed850a3384415c0cd9feab8ebfa22d7406a782e5fdb8e7fecfe5ceb5fc16aaf6f7822af7d7e5becbf6da1a82b8b9235454b07f

Download Submit
C:\Program Files\Windows Defender\fr-FR\wininit.exe

Filesize
1.0MB

MD5
6133ae6da2b0253736674baefbf9dfa0

SHA1
e3c56c57e7fc62bd44e3eb639540641bbecee044

SHA256
69913edd520ca7d5c4d8bd7a7d8fb7c69cc91c3bf9f985622b5675984162a5e9

SHA512
27cd5887c82d0dbab338b07ba2e3ac43757b9c494d8cad2f60bd4e5eb4233c7b72a1ff8352d70892593ab5fc073fac16c7605ce5f4c9175a37d95a9df635710f

Download Submit
C:\ProgramData\6133ae6da2b0253736674baefbf9dfa0_NeikiAnalytics.exe

Filesize
1.0MB

MD5
4b992407af15d5c229d169403b344b95

SHA1
dc3fb1b2e9a4f958714f5840af68bb930b9ad52a

SHA256
806ae24fe889036f40e1e2fe840ced22bc3cd8d2521f2375e0f1dcf8ca4b2e07

SHA512
167c0738ec1a3c007b3b45a9a5b22bc3b6bc95e93e56deb52d16d7f82f75815c4fe8ba05347aed09363cdc1e63740ded0e6fc616ccd82642fbb7c83c6cd72161

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c08c57167a3e31dadf75060401ec0c84

SHA1
0124b6816dbff4ebc95a22cac42b5280539c4c6b

SHA256
c8321bc129f29cf3e73f9bec53594d91f01253c62c5361e70363d8497cad6707

SHA512
e2b512bb3a3ebf686b4a92abb41711d8e6148ec4d9ba4dd854998dbd44a729d118b25bf9c9d68384a577fc445adfb006bdb5e9bbf16ab1c2b2abc2eecf44e16d

Download Submit
C:\Windows\Cursors\csrss.exe

Filesize
1.0MB

MD5
6e0c868db1198d064d521cdcb1aec509

SHA1
4f6e03f5b4411a432135808695c34aa8c9d1f984

SHA256
0b767e1dc4a3503bf4a326bd31984611b049f9260acdb63b6052ec603923a16d

SHA512
1c508537c7aa8e778252d9888b3438b2e7dc29b7278cb3c3c82d8f4c3386bd270009d1b2724c93a7df8660fe5e5efe7ce84f0394e53efa61c52288af98677e08

Download Submit
C:\Windows\schemas\WCN\dllhost.exe

Filesize
1.0MB

MD5
42f9d4233b1066429ae3cb26e3f238f1

SHA1
7c2471b65ccb5b396f745b51101c3629c67221c0

SHA256
b7cd65cf5c1b06798ff0d599344f7e3fc74c982bb80abf32871e01a16987c575

SHA512
c21a169c69c84feb49816032c71bc87551e56face920d91509bb9f5df68015668e58bf0e645d7d00bcb1cb8337679839d6d8f35064f494f82498e484b03a2f9c

Download Submit
memory/948-196-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1732-0-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp

Filesize
4KB

Download
memory/1732-5-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/1732-4-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1732-7-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1732-3-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/1732-2-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-1-0x0000000000160000-0x0000000000272000-memory.dmp

Filesize
1.1MB

Download
memory/1732-6-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1732-240-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-10-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/1944-224-0x0000000000AC0000-0x0000000000BD2000-memory.dmp

Filesize
1.1MB

Download
memory/2380-202-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download