Analysis
-
max time kernel
130s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 05:14
Behavioral task
behavioral1
Sample
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
86ef16b6eb613bff73f73a75b7236310
-
SHA1
3de6bea5685131148fb7ef9b07c6dcce2d643929
-
SHA256
ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9
-
SHA512
9fd4a0bcbe5a454ea660d4ca6d7524161c2fe817be60e26d511e3f04093e1c6e0b10a11ba25ee3d709b766b63f9c5344d84ef448f5dc44884506a07b862c8e94
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Program Files\\Mozilla Firefox\\sihost.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Program Files\\Mozilla Firefox\\sihost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\Idle.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3376 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4728 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4820 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 424 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3504 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3852 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 3096 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 3096 schtasks.exe -
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exeOfficeClickToRun.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral2/memory/2408-1-0x0000000000DF0000-0x00000000010B0000-memory.dmp dcrat C:\Program Files\Uninstall Information\lsass.exe dcrat C:\Windows\debug\RuntimeBroker.exe dcrat C:\Program Files\Windows Security\BrowserCore\en-US\RCX4821.tmp dcrat C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe dcrat C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe dcrat behavioral2/memory/4848-191-0x00000000003D0000-0x0000000000690000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
OfficeClickToRun.exepid process 4848 OfficeClickToRun.exe -
Adds Run key to start application 2 TTPs 32 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Mozilla Firefox\\sihost.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\Idle.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Mail\\Idle.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Uninstall Information\\lsass.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\Idle.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Mail\\Idle.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\My Documents\\upfc.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Resources\\services.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\debug\\RuntimeBroker.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Mozilla Firefox\\sihost.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Uninstall Information\\lsass.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\debug\\RuntimeBroker.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Resources\\services.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\My Documents\\upfc.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Processes:
OfficeClickToRun.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Drops file in Program Files directory 41 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\RCX4EAC.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\lsass.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\e6c9b481da804f 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\e1ef82546f0b02 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RCX3E97.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCX4821.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Reference Assemblies\Microsoft\9e8d7a4ca61bd9 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Uninstall Information\RCX3790.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\RCX50B0.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\Idle.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX4A26.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\29c1c3cc0f7685 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\sihost.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\6ccacd8608530f 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX4C2A.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Windows Mail\Idle.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\RuntimeBroker.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Uninstall Information\lsass.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\RCX409C.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\RCX459F.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Windows Mail\6ccacd8608530f 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\66fc9ff0ee96c2 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\RCX358B.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\sihost.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\6203df4a6bafc7 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\aa97147c4c782d 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Drops file in Windows directory 8 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\debug\RCX431E.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Windows\debug\RuntimeBroker.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Windows\Resources\services.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Windows\Resources\c5b4cb5e9653cc 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Windows\debug\RuntimeBroker.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Windows\debug\9e8d7a4ca61bd9 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Windows\Resources\RCX3A11.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Windows\Resources\services.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3708 schtasks.exe 4692 schtasks.exe 3936 schtasks.exe 576 schtasks.exe 3336 schtasks.exe 4568 schtasks.exe 2136 schtasks.exe 4728 schtasks.exe 4748 schtasks.exe 2636 schtasks.exe 912 schtasks.exe 3852 schtasks.exe 1908 schtasks.exe 1928 schtasks.exe 4612 schtasks.exe 2400 schtasks.exe 4440 schtasks.exe 1452 schtasks.exe 4820 schtasks.exe 4864 schtasks.exe 4536 schtasks.exe 3556 schtasks.exe 3308 schtasks.exe 5088 schtasks.exe 1596 schtasks.exe 1784 schtasks.exe 5072 schtasks.exe 2276 schtasks.exe 4804 schtasks.exe 3472 schtasks.exe 516 schtasks.exe 5012 schtasks.exe 1484 schtasks.exe 424 schtasks.exe 4648 schtasks.exe 2924 schtasks.exe 2220 schtasks.exe 3376 schtasks.exe 2284 schtasks.exe 4336 schtasks.exe 5052 schtasks.exe 956 schtasks.exe 3940 schtasks.exe 3916 schtasks.exe 4620 schtasks.exe 3332 schtasks.exe 2052 schtasks.exe 3504 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exepid process 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exepowershell.exeOfficeClickToRun.exedescription pid process Token: SeDebugPrivilege 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Token: SeDebugPrivilege 4920 powershell.exe Token: SeDebugPrivilege 4848 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.execmd.exedescription pid process target process PID 2408 wrote to memory of 4920 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe powershell.exe PID 2408 wrote to memory of 4920 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe powershell.exe PID 2408 wrote to memory of 3696 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe cmd.exe PID 2408 wrote to memory of 3696 2408 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe cmd.exe PID 3696 wrote to memory of 3568 3696 cmd.exe w32tm.exe PID 3696 wrote to memory of 3568 3696 cmd.exe w32tm.exe PID 3696 wrote to memory of 4848 3696 cmd.exe OfficeClickToRun.exe PID 3696 wrote to memory of 4848 3696 cmd.exe OfficeClickToRun.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
OfficeClickToRun.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OfficeClickToRun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OfficeClickToRun.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yrrQ2TPTZL.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3568
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe"C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4848
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\My Documents\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5ebe817f87b24a99851c6f46a7894be98
SHA159dc201ee89301aeb73b7c79371797eb72dd7b73
SHA256b2357320db336178a732f49634f6a18737ea80457556c2bad4342878babaa988
SHA5123b3d44c157d78bb545ff6365c4ce8ea7c32ff131aeffa7fb15089a8244cad4b343844f982ed2ba72ec51edf67309d5193f6c9768f9b39379edfb64521ac332ca
-
Filesize
2.7MB
MD586ef16b6eb613bff73f73a75b7236310
SHA13de6bea5685131148fb7ef9b07c6dcce2d643929
SHA256ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9
SHA5129fd4a0bcbe5a454ea660d4ca6d7524161c2fe817be60e26d511e3f04093e1c6e0b10a11ba25ee3d709b766b63f9c5344d84ef448f5dc44884506a07b862c8e94
-
Filesize
2.7MB
MD52b73a6c5cf947899032706265c447e0d
SHA1c0782f51c7951c4512dab56173b5a83de88bf688
SHA256b3bf4f0ab0b416c9981d4598efb5e935380d7ac0a5e925447510011e201d6bb6
SHA51200cf94d6035f30e6b7d683bfb037ad81eac73db50204358b75609d00f3025dd6fd77608452f6ce469570f9a7de30b7bec8d87ff1c5ddc16c8c25c04fab2428ff
-
Filesize
2.7MB
MD5395cdc96dbd8bec939c886d1052a2b4d
SHA1ce9bbc64046293cdce0a51bdeac4144caba1c6cf
SHA256726e46088cb7390f9893f907bb1acfd430edd61dbe95e7aaad8b4a0bf791388b
SHA5120bd939b43830c9022347390bb753b8211211b8b285554cc54c3b233c268561883d16c2682739156e9a962ef30e51fc884206d5304229a73435acabb1f5083f7e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
229B
MD5bd7af1b95ec039343adeda82c320079b
SHA11c4a092a0e5eb8f780671db9cece3411678ce4fe
SHA25611efaaebc5d7eca2d0062c6eca96458b142a1e00bc82198b8a564d90f7f22aeb
SHA512911b6e615edb60569b95237d8ec16064118789a431d23e2b7a58cd0e63952f1479478efbcd3f359c510e0d4b227bdbbe0362062370f0838ffc8cea091dcf9b7e
-
Filesize
2.7MB
MD52df515d11745c82c609702cc146c38b0
SHA1b30976043bb09cdf7fa7f097358704babd68afae
SHA2565528a5b6f8b86239dcf8a5e66f7e5ef2c8aa0eeb8321f670a603f1c0ad606b15
SHA512b7c46c57f327cf3c05387843c5c4f48d06b3de1ab188dae2624935a81730bbd049a5be3b14917dd7a3919726c5a06fdbd102c716227549b7290f92567bde24cd