Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 18:49
Behavioral task
behavioral1
Sample
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
00195dc23ea8cc5cb728c411f684ff40
-
SHA1
604a8ca144781805d4ea73de01caee8ba98c176d
-
SHA256
5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1
-
SHA512
218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd
-
SSDEEP
98304:2smfE8eD0M782w1JSdvi199xP9/ecsFjPSz:2QNBY2S99xl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2576 schtasks.exe -
Processes:
audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exeaudiodg.exeaudiodg.exeaudiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe -
Processes:
resource yara_rule behavioral1/memory/2424-1-0x0000000000C80000-0x0000000000FBC000-memory.dmp dcrat C:\Program Files\Windows Defender\it-IT\spoolsv.exe dcrat C:\Program Files\Windows Media Player\Network Sharing\lsm.exe dcrat C:\Program Files\Internet Explorer\winlogon.exe dcrat C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe dcrat C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\services.exe dcrat behavioral1/memory/292-270-0x0000000000300000-0x000000000063C000-memory.dmp dcrat behavioral1/memory/1652-281-0x0000000000ED0000-0x000000000120C000-memory.dmp dcrat behavioral1/memory/2412-327-0x00000000001D0000-0x000000000050C000-memory.dmp dcrat behavioral1/memory/2100-339-0x0000000000E10000-0x000000000114C000-memory.dmp dcrat behavioral1/memory/2060-351-0x0000000000140000-0x000000000047C000-memory.dmp dcrat behavioral1/memory/2688-363-0x0000000000AE0000-0x0000000000E1C000-memory.dmp dcrat behavioral1/memory/764-387-0x0000000000B40000-0x0000000000E7C000-memory.dmp dcrat behavioral1/memory/1936-399-0x0000000001040000-0x000000000137C000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1444 powershell.exe 2964 powershell.exe 1840 powershell.exe 1360 powershell.exe 344 powershell.exe 2540 powershell.exe 1712 powershell.exe 2760 powershell.exe 1724 powershell.exe 1520 powershell.exe 1780 powershell.exe 2316 powershell.exe -
Executes dropped EXE 12 IoCs
Processes:
audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exepid process 292 audiodg.exe 1652 audiodg.exe 1296 audiodg.exe 2516 audiodg.exe 832 audiodg.exe 2412 audiodg.exe 2100 audiodg.exe 2060 audiodg.exe 2688 audiodg.exe 2488 audiodg.exe 764 audiodg.exe 1936 audiodg.exe -
Processes:
audiodg.exe00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe -
Drops file in Program Files directory 20 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX31A3.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\winlogon.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\it-IT\RCX23A2.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\lsm.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\RCX2EB3.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\RCX2F21.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\winlogon.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX3134.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Windows Media Player\Network Sharing\lsm.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\it-IT\RCX23A1.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\it-IT\spoolsv.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\RCX25B6.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\RCX2624.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\it-IT\spoolsv.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Windows Media Player\Network Sharing\101b941d020240 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\886983d96e3d3e 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\it-IT\f3b6ecef712a24 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\cc11b995f2a76d 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe -
Drops file in Windows directory 10 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exedescription ioc process File created C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\RCX2C9E.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\RCX2C9F.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Windows\Fonts\a946e4dc0a56f2 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\101b941d020240 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX2A2C.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX2A2D.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2536 schtasks.exe 2460 schtasks.exe 2544 schtasks.exe 1444 schtasks.exe 2112 schtasks.exe 2164 schtasks.exe 2556 schtasks.exe 812 schtasks.exe 2756 schtasks.exe 2856 schtasks.exe 2492 schtasks.exe 1092 schtasks.exe 2432 schtasks.exe 1160 schtasks.exe 2804 schtasks.exe 3068 schtasks.exe 872 schtasks.exe 2664 schtasks.exe 1616 schtasks.exe 2144 schtasks.exe 2176 schtasks.exe 1420 schtasks.exe 2732 schtasks.exe 2896 schtasks.exe 1848 schtasks.exe 2580 schtasks.exe 1668 schtasks.exe 1492 schtasks.exe 2452 schtasks.exe 688 schtasks.exe 1772 schtasks.exe 2340 schtasks.exe 2960 schtasks.exe 2268 schtasks.exe 1588 schtasks.exe 2828 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exepid process 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 2964 powershell.exe 1712 powershell.exe 2316 powershell.exe 1780 powershell.exe 1724 powershell.exe 344 powershell.exe 1444 powershell.exe 1360 powershell.exe 1520 powershell.exe 2760 powershell.exe 2540 powershell.exe 1840 powershell.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe 292 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exedescription pid process Token: SeDebugPrivilege 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 344 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 292 audiodg.exe Token: SeDebugPrivilege 1652 audiodg.exe Token: SeDebugPrivilege 1296 audiodg.exe Token: SeDebugPrivilege 2516 audiodg.exe Token: SeDebugPrivilege 832 audiodg.exe Token: SeDebugPrivilege 2412 audiodg.exe Token: SeDebugPrivilege 2100 audiodg.exe Token: SeDebugPrivilege 2060 audiodg.exe Token: SeDebugPrivilege 2688 audiodg.exe Token: SeDebugPrivilege 2488 audiodg.exe Token: SeDebugPrivilege 764 audiodg.exe Token: SeDebugPrivilege 1936 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.execmd.exeaudiodg.exeWScript.exeaudiodg.exeWScript.exeaudiodg.exedescription pid process target process PID 2424 wrote to memory of 2540 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2540 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2540 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2964 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2964 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2964 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2316 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2316 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2316 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1712 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1712 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1712 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1780 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1780 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1780 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2760 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2760 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2760 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 344 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 344 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 344 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1360 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1360 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1360 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1840 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1840 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1840 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1724 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1724 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1724 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1520 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1520 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1520 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1444 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1444 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 1444 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 536 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe cmd.exe PID 2424 wrote to memory of 536 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe cmd.exe PID 2424 wrote to memory of 536 2424 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe cmd.exe PID 536 wrote to memory of 1744 536 cmd.exe w32tm.exe PID 536 wrote to memory of 1744 536 cmd.exe w32tm.exe PID 536 wrote to memory of 1744 536 cmd.exe w32tm.exe PID 536 wrote to memory of 292 536 cmd.exe audiodg.exe PID 536 wrote to memory of 292 536 cmd.exe audiodg.exe PID 536 wrote to memory of 292 536 cmd.exe audiodg.exe PID 292 wrote to memory of 2596 292 audiodg.exe WScript.exe PID 292 wrote to memory of 2596 292 audiodg.exe WScript.exe PID 292 wrote to memory of 2596 292 audiodg.exe WScript.exe PID 292 wrote to memory of 1576 292 audiodg.exe WScript.exe PID 292 wrote to memory of 1576 292 audiodg.exe WScript.exe PID 292 wrote to memory of 1576 292 audiodg.exe WScript.exe PID 2596 wrote to memory of 1652 2596 WScript.exe audiodg.exe PID 2596 wrote to memory of 1652 2596 WScript.exe audiodg.exe PID 2596 wrote to memory of 1652 2596 WScript.exe audiodg.exe PID 1652 wrote to memory of 2132 1652 audiodg.exe WScript.exe PID 1652 wrote to memory of 2132 1652 audiodg.exe WScript.exe PID 1652 wrote to memory of 2132 1652 audiodg.exe WScript.exe PID 1652 wrote to memory of 2976 1652 audiodg.exe WScript.exe PID 1652 wrote to memory of 2976 1652 audiodg.exe WScript.exe PID 1652 wrote to memory of 2976 1652 audiodg.exe WScript.exe PID 2132 wrote to memory of 1296 2132 WScript.exe audiodg.exe PID 2132 wrote to memory of 1296 2132 WScript.exe audiodg.exe PID 2132 wrote to memory of 1296 2132 WScript.exe audiodg.exe PID 1296 wrote to memory of 624 1296 audiodg.exe WScript.exe -
System policy modification 1 TTPs 39 IoCs
Processes:
audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WemxlMlzgx.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1744
-
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:292 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11bd8d8e-5f79-49ad-9a25-3074162a2abf.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1652 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfda475f-2f34-4728-a1d6-2d92b6bc2c2b.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1296 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0418a95-c32e-46f8-97bf-798fdf835b7d.vbs"8⤵PID:624
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2516 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df84f95f-ec81-487a-b75b-d4aca1324777.vbs"10⤵PID:2148
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:832 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59d5f118-5d7b-43e3-a13b-6ac94899590a.vbs"12⤵PID:1892
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2412 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a64e887-0dd6-46b0-b021-25d984d2b0e3.vbs"14⤵PID:1080
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2100 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52909b4a-e230-4366-8221-a79f0145ee77.vbs"16⤵PID:1700
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2060 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3a1c5c7-9e11-4be1-9136-ac42a59bfc5e.vbs"18⤵PID:624
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5eae11ce-2f49-4c9a-9e5f-e6e0b98509c4.vbs"20⤵PID:548
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2488 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c8fe3fa-cc26-47f2-9912-795cb7d005e0.vbs"22⤵PID:1548
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:764 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\636ddb08-054b-43cc-825e-c4c27dc20f4c.vbs"24⤵PID:1840
-
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exeC:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1936 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f44a2b8-d14b-4570-a8d1-94be2589060a.vbs"26⤵PID:328
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72c32c4d-a8ce-4c04-8ce9-e2500e150198.vbs"26⤵PID:2424
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d661e586-38cc-4004-8e1a-50317f4d462e.vbs"24⤵PID:1824
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f71d630-4cf3-4b42-a801-d995437f1824.vbs"22⤵PID:2380
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a4e855f-3ca1-40c1-b612-5afdd744f45c.vbs"20⤵PID:2672
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14e8519e-9755-47f7-934f-438909566f85.vbs"18⤵PID:536
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f55d8b27-1e83-4965-afae-959964428edb.vbs"16⤵PID:1888
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8185cbae-530e-4313-9dac-c2dd5cb84acc.vbs"14⤵PID:1784
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac2c65eb-b9d2-4050-b202-06475ddd8edb.vbs"12⤵PID:2640
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f2bfd6-feb7-498d-8f91-14befed056b4.vbs"10⤵PID:1932
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aa0e89d-56e1-4b72-a662-04199387ea97.vbs"8⤵PID:2736
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b37a851-7dff-4ee2-b97a-2c9cecaae4d6.vbs"6⤵PID:2976
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ecb2cc2-cb81-47ef-83bf-c14eecd62923.vbs"4⤵PID:1576
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Network Sharing\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics" /sc ONLOGON /tr "'C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5a78375666ec40adbc66c67d9c35b2e45
SHA10663cf4acc5a1fe3e47749b82aa4b5ce9d73a143
SHA256c31d86e19a9d250e11bd588a7151ecf3cdf48deeacb71d443903046534c85d44
SHA512c30a7558a0bae0ff7f125f274dd4febd48fddbac54efa32e891c70fff9c9d3b99715fb11e379e5e2e3c6f6d589bc3296f52cdc6588d13e107ccd2f59867b1e58
-
Filesize
3.2MB
MD5bd0088e3beae02e5de4fd944bbe608fc
SHA1c64b3c35bf65af6f1560f27664956fe3d5a60e3b
SHA256c17ca9ea18dc949bab1d312c05646c3492ebf5d662a1d19f94dd715735ae60bb
SHA51217f368c88f126321fbbcc26c587093b2cd86f5f23711fb907ba99f5e53fec46e630226ab1cfba4c84ed639265dd03a880dd1c6726ace93c68cc0a89679624e81
-
Filesize
3.2MB
MD500195dc23ea8cc5cb728c411f684ff40
SHA1604a8ca144781805d4ea73de01caee8ba98c176d
SHA2565d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1
SHA512218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd
-
Filesize
3.2MB
MD5b0076192bcb41d8a6117c48d4e982b3f
SHA16fb1a64f3b12bffd6c2d789d2685a2c0d46e49e1
SHA256e1d7189ccc2ef3a8f33ddcfb089dc6f48e5b4a0cab12f948fc223969f836ff57
SHA512c172b3d0c21ff3b043d8a7fad074be4af6e21a39a2de72769a0d321b751b6d164fbd29776d6dd1611c40436b6a1d57b536c4a65c08bf24d4fb10b9969b056ec0
-
Filesize
735B
MD5eece65c143574b47c3eaa073f2ad9577
SHA135f32fbc2e0bb8912f9e90c41a8b76b4dd63eeb0
SHA256d267d59025c79ecd45ed4680972b106f82ecfa28085445b82ce7773a14bffd03
SHA512170318f8db866ead02dd8c147ff2b341beffd6ddd6aef8b755ffd7b28c9b8c5c074042bae9280f462aa6bd0ef54498a25ce180f7410e92e23382688f8905704a
-
Filesize
736B
MD53e4fdc5725796ba0ca79507fb0d1caac
SHA1187b6e95d4ed41e5237e4490cf9f9ab6c4a4d65b
SHA2561d7e86f347f5110918a6cd33a378bd008cd64fda2a0fd185fa2a032dc02b507b
SHA512407b75a720492c061c8694c2379bedf7bcbcb46b77f9643ebcb88d8008f9e9b233d0dafea77e0c26b276d2f54dab3c58428618fd5ea9ae7d8c1813701d2f1ce1
-
Filesize
736B
MD5f042ad399d11e8bf55fa331ae78b1d31
SHA1413566335910af436f9505472fe91bb63e27e75a
SHA2569ac577544f577234fe08457fc928d2f84592be1439b296746235053324bb7ace
SHA512355d0e7029ccc45a7b3699df6d09039090a293faccca9324108b93e7e43fd7a03751c12bf0782d12e9f3bab12961c454180cb057b497246e08519888534c1965
-
Filesize
735B
MD59480d92c1afb035726d91e72388757eb
SHA103be624de37f9fcbddccac198afdfa10cbf66e8e
SHA2563edb3c9a165e694953d3e18bdeb5fb351fd38040b207bf88e0b8258e77604ee1
SHA51247fd79e4377068ec626e63107cc91bca212efdba41a0fd69d81105eb3025745e17ca8e4d5053fe91f17f79da21d306023661fac5a98442e35664bf16da65c884
-
Filesize
736B
MD573871616b62dec970c57d3494d67b703
SHA189c9637cd2f89ac6beab8ee82782abf78a5404df
SHA256547e00e643730c92c4576d43834447d1ecc54acdea02035a9f0fc6d22fe5db4c
SHA512a4db5a8b98da9a07bf0dc532e0d543e50032cea124553511f9e47134ff686bc891ef361a8de0ef851478e1510446d7eebbdceddd2ee0c4a823c86e95261c57cc
-
Filesize
512B
MD5484a201a237c064e81412e90ad9a06b2
SHA19434ca0fc12641a863b4bdd4d173406b036ea10a
SHA256f97e6d738556d7039104d4359d8d9460d5bfb0975cb82e26132ff01794f217cf
SHA512b96358f09400645a97294424b2de6932ea9c9a0cf4bae0dcdca646ea8ae23b9bfced0add122c98f05131ed9b1fd5fe79c0abc42371593110dcbdb691db56a453
-
Filesize
735B
MD5eab03728adcbd26b7fe7598ebdbfc4e5
SHA10e6485d957fdec273fc08336a24f682f07341c56
SHA256013e0c23108867841ed17c5935d6fe66042482fc8323c4cfc932500f71de26e9
SHA512cdc7b6ef945acc9ca556b470a70979aa3f25477d5623f6aa17dc145cdb9fefe7da1454653a4124b70026fdd450fc3495682d82381c593f1fa2d29ff024a74b79
-
Filesize
736B
MD5c1e649ceef4d602b7a8b55739564cb28
SHA1cff65256d15070b5bec5c5b2b9ef5bb336d5e094
SHA25641726808d2c1fd34e49bd48b75f6fdc4a044451894ef04c9ad2c952edd4d89bf
SHA512a18a44f24dbf0113b0266f882247f31ee3f59c818c8d693792ca7a7355ee79009f52e9fc7af68cc01e653402111e5f0491ceca76c775f472f0e6ae0bd8980c46
-
Filesize
736B
MD5808f3ccd561c0e40ad20323363759a44
SHA13ed766465a6d4272e485e901d1055463f9e2c335
SHA25613afdbb99982c3d72cf2b1dd03b385a6490fbeb5c321d41b5f1294371ef51dbd
SHA51203a7bc910d9165450924ad1e366588ff4f717673e51c706678a511b43a3e02e1213570b4bc15186dd3d0d754baeb815d4ef92176fe8d5ed393c5c6a38cbf0cc5
-
Filesize
225B
MD55e39bb4f80e55ed72157f36eef423dca
SHA1452c3fa3defc6b64f9d71aa25c8bac63615f2486
SHA256124259e94e948f91a0c7edf1f22b0376d2f5037ac27f93e0622131419827638a
SHA5120bf37b543f16ea28aaff86d805f16ea4e1d0ced5293003ea97202b7727bab5b3d9fb699da68cbf5b47907c1f05a6c5f66c91a90397c23917a141066a8878b897
-
Filesize
736B
MD5b7697ef6a3698cd2d26050e0bcd4c783
SHA157f05388c1f0659c54c2c823b5224f6e7d3f3ae3
SHA256fd24419e478a282242d820e483520baa53e198285f9a5830647a2cff9c7657f3
SHA512c10ee3914cc27364999bc0cfb713c6e77bd1e9570e8ea6abc4e8f85022d3cafcf67e0ed50c112cc0930c3dacddf1dad8876f5dbbc12f66ba0416e170e669b30b
-
Filesize
736B
MD5e16751969adceb1ca615ac4a9ebb556b
SHA1f567386f0a7c48c0cdbf75adcc89d177654336da
SHA2567176367ff522d5ee4484669647b71e6398465f8144102dda4e2bd8e168df31f6
SHA512bd5fc196a82067625cc3d3f8569af9e5c7a3a0bfae5456a7e133ba593b1425a8f4ac5e001baf8db68d074860da0bb684f5d90199883f05388019523eb01201b9
-
Filesize
736B
MD558774ef42c8e761d4b8b4b1a69f35a3e
SHA172a51ea2c61e4616be4f98da31f938f2bd01876a
SHA256e39d1b70881c964d7843d05e9961a4073e95637f024fb2b6e6c17ed5575d3166
SHA5129c024167e9a3368ce375d39744f48424cfe3014e89718104d2c82cd6048f496f3f356d794bb5e7a98189991dc56876c74a57ccfe474f870946148b74461e847a
-
Filesize
736B
MD55751c4a742e68539ace8dfb5f4469494
SHA184584ec4ad06a8f098740fdfc9074bd6f261aa52
SHA256291a342c1f10173ee2d8e3509b79252a74c253cda81ada1cd8c985b4f9380e4a
SHA512513ae981cc6dfb60fdd493a45974931a9080078ef8943841d82fd9830e39cab124d835d579c27a4af63d8731fdf183a145466d23c64fcee1335a81ecbcf86660
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD528c5be1c4d9e189e1f54cf9d53daa053
SHA1342793848d4e46cbb4127b3e14933b29bbbd4a98
SHA2561fb6e08145b04972f76c3e1f3705e836df8a59125ee60be722018b50abedab9c
SHA512135287653d9dd962f63a77a5aef111a6e5b728f3d78386438a24a1ace920685bbaf751d1ec0750bdd6ade9e430383536daafe4be3ae31b626efaf9d78f789613
-
Filesize
3.2MB
MD5d618d1f6ed1e1b283005b5c51c2568eb
SHA18198c993bc5f28bc9121eef5324d3fe3e1f91c5c
SHA256388f6b5d5569066dd299b9c997191fffe4665ccfeb1ac1f92ee58b224fa940a4
SHA5129adba9ee8e34f5666a613ac334146a283205fe99c0db445b4909554b1e71f5e43ebd9b4894d6110612e96dd4c060275cfd4bc6eca38c09d51e64fb8f29d8c650