Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 07:11
Behavioral task
behavioral1
Sample
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
a5eb2e112e632a425a7dda05b86658c0
-
SHA1
097e969d55bd57a7095f0769a979121c01cc8a2f
-
SHA256
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2
-
SHA512
82149a2112d690209a076cfe1ea14e8901e3af10ee0f256f7f59e26fd37a7a1830cf60945a902b2e5e9d1b783779be4ac84e10bbd35162832f3eaf6376e3b09b
-
SSDEEP
12288:6gxqAqAVsc6zQ2Sms5TZFU2lAJqq+1KUL/QXmVjyr4ddDniHhU0uRtyLfaSVGArO:OMVsc6zk3ZFU2zDXbjhiBUI7TGAHh+j
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3676 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3256 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4024 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 3348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 3348 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/3756-1-0x00000000003C0000-0x00000000004F2000-memory.dmp dcrat C:\Recovery\WindowsRE\lsass.exe dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
wininit.exepid process 2776 wininit.exe -
Drops file in Program Files directory 7 IoCs
Processes:
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exedescription ioc process File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\sppsvc.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Program Files\Google\wininit.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Program Files\Google\56085415360792 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\es-ES\9e8d7a4ca61bd9 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\services.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\c5b4cb5e9653cc 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe -
Drops file in Windows directory 7 IoCs
Processes:
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exedescription ioc process File created C:\Windows\OCR\en-us\dwm.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Windows\Prefetch\ReadyBoot\csrss.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Windows\Prefetch\ReadyBoot\886983d96e3d3e 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\9e8d7a4ca61bd9 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Windows\Branding\shellbrd\spoolsv.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Windows\Branding\shellbrd\f3b6ecef712a24 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1840 schtasks.exe 4228 schtasks.exe 5100 schtasks.exe 1768 schtasks.exe 624 schtasks.exe 1952 schtasks.exe 4484 schtasks.exe 3132 schtasks.exe 2700 schtasks.exe 3180 schtasks.exe 4864 schtasks.exe 4956 schtasks.exe 1808 schtasks.exe 5036 schtasks.exe 3596 schtasks.exe 1232 schtasks.exe 2680 schtasks.exe 1260 schtasks.exe 3712 schtasks.exe 4068 schtasks.exe 2848 schtasks.exe 1164 schtasks.exe 1068 schtasks.exe 2104 schtasks.exe 2316 schtasks.exe 4348 schtasks.exe 3676 schtasks.exe 3256 schtasks.exe 3860 schtasks.exe 1380 schtasks.exe 4024 schtasks.exe 5068 schtasks.exe 3912 schtasks.exe 4196 schtasks.exe 2952 schtasks.exe 4540 schtasks.exe 4612 schtasks.exe 4788 schtasks.exe 2804 schtasks.exe 3652 schtasks.exe 1464 schtasks.exe 2536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exewininit.exepid process 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 2776 wininit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exewininit.exedescription pid process Token: SeDebugPrivilege 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe Token: SeDebugPrivilege 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe Token: SeDebugPrivilege 2776 wininit.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exedescription pid process target process PID 3756 wrote to memory of 3468 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe PID 3756 wrote to memory of 3468 3756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe PID 3468 wrote to memory of 2776 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe wininit.exe PID 3468 wrote to memory of 2776 3468 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Program Files\Google\wininit.exe"C:\Program Files\Google\wininit.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\shellbrd\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\shellbrd\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\lsass.exeFilesize
1.2MB
MD5a5eb2e112e632a425a7dda05b86658c0
SHA1097e969d55bd57a7095f0769a979121c01cc8a2f
SHA256434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2
SHA51282149a2112d690209a076cfe1ea14e8901e3af10ee0f256f7f59e26fd37a7a1830cf60945a902b2e5e9d1b783779be4ac84e10bbd35162832f3eaf6376e3b09b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe.logFilesize
1KB
MD57800fca2323a4130444c572374a030f4
SHA140c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA25629f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554
-
memory/3756-0-0x00007FFE770A3000-0x00007FFE770A5000-memory.dmpFilesize
8KB
-
memory/3756-1-0x00000000003C0000-0x00000000004F2000-memory.dmpFilesize
1.2MB
-
memory/3756-2-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmpFilesize
10.8MB
-
memory/3756-3-0x000000001AF60000-0x000000001AF7C000-memory.dmpFilesize
112KB
-
memory/3756-5-0x000000001B0E0000-0x000000001B0F6000-memory.dmpFilesize
88KB
-
memory/3756-6-0x000000001B100000-0x000000001B10C000-memory.dmpFilesize
48KB
-
memory/3756-4-0x000000001B7F0000-0x000000001B840000-memory.dmpFilesize
320KB
-
memory/3756-21-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmpFilesize
10.8MB