Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 23:17
Behavioral task
behavioral1
Sample
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe
-
Size
1.0MB
-
MD5
527496f64e5df0e8c2c0fc3dd26842d0
-
SHA1
91632db63b9dbeba3ee61ea02168fef4e856606d
-
SHA256
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400
-
SHA512
c21c7c057c9a6a5d5222fe9125da4a880a80b1b180f316e2cb4a042a6dd16486c830533e7c81ab0ef8af4c2f784516d271c414b9b80558569cc6c7094a0b1eef
-
SSDEEP
12288:fubxAa9sUFxZ8oq7URPvyKBozWeL+vSgmtjJcDVrCTZSXlVB0mGEB0aNN/cPUeWl:A9sUFxZq7URPt6RL6nBrEZUjGE/L8YZ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2600 schtasks.exe -
Processes:
taskhost.exe6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Processes:
resource yara_rule behavioral1/memory/2416-1-0x0000000000F00000-0x0000000001012000-memory.dmp dcrat C:\MSOCache\All Users\sppsvc.exe dcrat behavioral1/memory/2956-290-0x0000000000D90000-0x0000000000EA2000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2448 powershell.exe 2240 powershell.exe 600 powershell.exe 1680 powershell.exe 484 powershell.exe 2784 powershell.exe 408 powershell.exe 1780 powershell.exe 2276 powershell.exe 2856 powershell.exe 2816 powershell.exe 1512 powershell.exe 1632 powershell.exe 2864 powershell.exe 2180 powershell.exe 2936 powershell.exe 1408 powershell.exe 564 powershell.exe 2536 powershell.exe 2320 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
taskhost.exepid process 2956 taskhost.exe -
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exetaskhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Drops file in Program Files directory 32 IoCs
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Windows NT\27d1bcfc3c54e0 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files\VideoLAN\VLC\lua\http\taskhost.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\taskhost.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX4D94.tmp 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\RCX540D.tmp 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files\Windows NT\System.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files\Windows Mail\fr-FR\101b941d020240 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\69ddcba757bf72 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\System.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\taskhost.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files\Windows Media Player\886983d96e3d3e 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\f3b6ecef712a24 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\RCX3084.tmp 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\lsm.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\RCX498C.tmp 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\spoolsv.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files\Windows Mail\fr-FR\lsm.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files\VideoLAN\VLC\lua\http\b75386f1303e64 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\RCX34F9.tmp 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\RCX4789.tmp 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files\Windows Media Player\csrss.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Office\b75386f1303e64 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\csrss.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\RCX4314.tmp 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\101b941d020240 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Office\taskhost.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\RCX3901.tmp 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\spoolsv.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exedescription ioc process File created C:\Windows\LiveKernelReports\dwm.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Windows\LiveKernelReports\6cb0b6c459d5d3 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Windows\LiveKernelReports\RCX3D08.tmp 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File opened for modification C:\Windows\LiveKernelReports\dwm.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2280 schtasks.exe 836 schtasks.exe 2052 schtasks.exe 2816 schtasks.exe 1632 schtasks.exe 2104 schtasks.exe 2920 schtasks.exe 1728 schtasks.exe 1988 schtasks.exe 2196 schtasks.exe 536 schtasks.exe 1032 schtasks.exe 1700 schtasks.exe 908 schtasks.exe 1144 schtasks.exe 1500 schtasks.exe 2808 schtasks.exe 2536 schtasks.exe 2024 schtasks.exe 1884 schtasks.exe 660 schtasks.exe 1720 schtasks.exe 2584 schtasks.exe 2436 schtasks.exe 968 schtasks.exe 1568 schtasks.exe 1248 schtasks.exe 2992 schtasks.exe 2864 schtasks.exe 2248 schtasks.exe 2008 schtasks.exe 2924 schtasks.exe 3060 schtasks.exe 2756 schtasks.exe 2644 schtasks.exe 1584 schtasks.exe 1908 schtasks.exe 2580 schtasks.exe 796 schtasks.exe 2372 schtasks.exe 2468 schtasks.exe 1484 schtasks.exe 1260 schtasks.exe 2000 schtasks.exe 2064 schtasks.exe 2488 schtasks.exe 1428 schtasks.exe 2428 schtasks.exe 1928 schtasks.exe 1212 schtasks.exe 2976 schtasks.exe 2056 schtasks.exe 1220 schtasks.exe 1412 schtasks.exe 1488 schtasks.exe 788 schtasks.exe 1112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 1408 powershell.exe 2816 powershell.exe 2276 powershell.exe 484 powershell.exe 2240 powershell.exe 1780 powershell.exe 1512 powershell.exe 2936 powershell.exe 2856 powershell.exe 1632 powershell.exe 2784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exedescription pid process Token: SeDebugPrivilege 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 484 powershell.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 564 powershell.exe Token: SeDebugPrivilege 600 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 408 powershell.exe Token: SeDebugPrivilege 2956 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.execmd.exedescription pid process target process PID 2416 wrote to memory of 2936 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2936 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2936 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2276 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2276 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2276 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2856 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2856 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2856 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2784 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2784 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2784 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2816 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2816 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2816 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2448 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2448 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2448 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1512 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1512 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1512 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1632 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1632 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1632 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1408 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1408 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1408 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 564 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 564 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 564 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2240 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2240 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2240 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 484 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 484 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 484 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1780 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1780 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1780 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1680 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1680 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 1680 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2180 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2180 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2180 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2320 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2320 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2320 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2536 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2536 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2536 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 408 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 408 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 408 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2864 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2864 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2864 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 600 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 600 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 600 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe powershell.exe PID 2416 wrote to memory of 2148 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe cmd.exe PID 2416 wrote to memory of 2148 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe cmd.exe PID 2416 wrote to memory of 2148 2416 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe cmd.exe PID 2148 wrote to memory of 636 2148 cmd.exe w32tm.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exetaskhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:564 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Multiplayer\Spades\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\http\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v0SKN5tiok.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:636
-
C:\Program Files (x86)\Microsoft Office\taskhost.exe"C:\Program Files (x86)\Microsoft Office\taskhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Recent\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Recent\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Templates\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\sppsvc.exeFilesize
1.0MB
MD5527496f64e5df0e8c2c0fc3dd26842d0
SHA191632db63b9dbeba3ee61ea02168fef4e856606d
SHA2566f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400
SHA512c21c7c057c9a6a5d5222fe9125da4a880a80b1b180f316e2cb4a042a6dd16486c830533e7c81ab0ef8af4c2f784516d271c414b9b80558569cc6c7094a0b1eef
-
C:\Users\Admin\AppData\Local\Temp\v0SKN5tiok.batFilesize
217B
MD5e292bdf73f5e2c3e86f291049d285201
SHA1f237cdb7dada7b3c10f5ebaa867cebd2b4d9bcc4
SHA2563fe55d2199865838a01a0dfa85765e56087f1d81929ca34f75a4b5fc1c0f814c
SHA512363e2072378d19335bb890ceda95d09efe717d512378b1249a6c349ad099cfabc4268fa1c09b4dba8645595ef743d82939a5fb402c7b0c6be3427cee321d93d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD54b0ac61c65a7f93116c411bc1fe98bbd
SHA12a8a6bdb372260c7e25a8537378bb5bbb96e5704
SHA2567b245950e9170d99c8d8ae87943eea3680acd6b1ab8a6b4aed8a6e01e538aa78
SHA51288ae7e7b2d4d81b428e33f385cd7f5f6a8c2b42b5758e11a191e6bfd89dfd5c0c6266d682691622bcc208bc4d0c3e62df86a3d9bfccdf27c76fea82cc5e368b9
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1408-208-0x000000001B790000-0x000000001BA72000-memory.dmpFilesize
2.9MB
-
memory/1408-215-0x0000000002290000-0x0000000002298000-memory.dmpFilesize
32KB
-
memory/2416-4-0x0000000000250000-0x0000000000260000-memory.dmpFilesize
64KB
-
memory/2416-7-0x00000000003B0000-0x00000000003BC000-memory.dmpFilesize
48KB
-
memory/2416-10-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmpFilesize
9.9MB
-
memory/2416-6-0x00000000002F0000-0x00000000002FC000-memory.dmpFilesize
48KB
-
memory/2416-5-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB
-
memory/2416-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmpFilesize
4KB
-
memory/2416-3-0x0000000000240000-0x0000000000248000-memory.dmpFilesize
32KB
-
memory/2416-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmpFilesize
9.9MB
-
memory/2416-251-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmpFilesize
9.9MB
-
memory/2416-1-0x0000000000F00000-0x0000000001012000-memory.dmpFilesize
1.1MB
-
memory/2956-290-0x0000000000D90000-0x0000000000EA2000-memory.dmpFilesize
1.1MB