Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 09:16
Behavioral task
behavioral1
Sample
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
d22bc2c281eda0bd630673443da3d2f0
-
SHA1
31f11ef93b4a2d28a6445090128e37c32a58661c
-
SHA256
38f4b04c7fe1ce4d8ce9e43eb0df87bdb03c0f3b432daa8670be4750bab542b6
-
SHA512
76c82f89813b8e2e40a90b2347a971599a5afbf7a0484c99b74a3ddcb3cdeb330b94b9efbb111159603a17f64f8621ecbffa90c1c0c8c4fded469e0575044538
-
SSDEEP
49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4032 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4396 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 232 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3864 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3576 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3628 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3660 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 360 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4296 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 1480 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 1480 schtasks.exe -
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe -
Processes:
resource yara_rule behavioral2/memory/4580-1-0x00000000001F0000-0x00000000004D6000-memory.dmp dcrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Registry.exe dcrat C:\Recovery\WindowsRE\RCXE88A.tmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 60 powershell.exe 5080 powershell.exe 1376 powershell.exe 4552 powershell.exe 4872 powershell.exe 2112 powershell.exe 1120 powershell.exe 3616 powershell.exe 2252 powershell.exe 2404 powershell.exe 1212 powershell.exe 4332 powershell.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exemsedge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msedge.exe -
Executes dropped EXE 11 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 5928 msedge.exe 5236 msedge.exe 4272 msedge.exe 5572 msedge.exe 5072 msedge.exe 5908 msedge.exe 6056 msedge.exe 1144 msedge.exe 1476 msedge.exe 3748 msedge.exe 2308 msedge.exe -
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe -
Drops file in Program Files directory 21 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\RedistList\61a52ddc9dd915 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\MsEdgeCrashpad\RuntimeBroker.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\WindowsApps\MovedPackages\fontdrvhost.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Java\jdk-1.8\lib\22eafd247d37c3 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXCB52.tmp d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\msedge.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\TextInputHost.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\61a52ddc9dd915 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\Java\jdk-1.8\lib\TextInputHost.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCXC90F.tmp d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\MsEdgeCrashpad\RCXD48D.tmp d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXEF54.tmp d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\MsEdgeCrashpad\RuntimeBroker.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\RCXE358.tmp d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\msedge.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\msedge.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files\MsEdgeCrashpad\9e8d7a4ca61bd9 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\e6c9b481da804f d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\msedge.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe -
Drops file in Windows directory 8 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\ShellExperiences\upfc.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXE125.tmp d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dwm.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Windows\ShellExperiences\upfc.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Windows\ShellExperiences\ea1d8f6d871115 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dwm.exe d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\6cb0b6c459d5d3 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellExperiences\RCXD9EE.tmp d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4188 schtasks.exe 1840 schtasks.exe 4860 schtasks.exe 4184 schtasks.exe 2232 schtasks.exe 1212 schtasks.exe 2384 schtasks.exe 3660 schtasks.exe 4496 schtasks.exe 1288 schtasks.exe 780 schtasks.exe 2036 schtasks.exe 2524 schtasks.exe 3864 schtasks.exe 3400 schtasks.exe 1516 schtasks.exe 3664 schtasks.exe 3576 schtasks.exe 60 schtasks.exe 4612 schtasks.exe 4032 schtasks.exe 4396 schtasks.exe 232 schtasks.exe 4668 schtasks.exe 3652 schtasks.exe 1216 schtasks.exe 4456 schtasks.exe 4296 schtasks.exe 3616 schtasks.exe 3128 schtasks.exe 3628 schtasks.exe 4992 schtasks.exe 2252 schtasks.exe 1696 schtasks.exe 2688 schtasks.exe 1376 schtasks.exe 2184 schtasks.exe 4536 schtasks.exe 3924 schtasks.exe 5072 schtasks.exe 4700 schtasks.exe 4460 schtasks.exe 4360 schtasks.exe 3488 schtasks.exe 3712 schtasks.exe 4300 schtasks.exe 5092 schtasks.exe 696 schtasks.exe 5108 schtasks.exe 4452 schtasks.exe 1788 schtasks.exe 360 schtasks.exe 4312 schtasks.exe 2004 schtasks.exe -
Modifies registry class 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exepid process 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe 1120 powershell.exe 1120 powershell.exe 2112 powershell.exe 2112 powershell.exe 2404 powershell.exe 2404 powershell.exe 1212 powershell.exe 1212 powershell.exe 1376 powershell.exe 1376 powershell.exe 3616 powershell.exe 3616 powershell.exe 4332 powershell.exe 4332 powershell.exe 60 powershell.exe 60 powershell.exe 5080 powershell.exe 5080 powershell.exe 4872 powershell.exe 4872 powershell.exe 4552 powershell.exe 4552 powershell.exe 2252 powershell.exe 2252 powershell.exe 4552 powershell.exe 1120 powershell.exe 2404 powershell.exe 1376 powershell.exe 2112 powershell.exe 4332 powershell.exe 1212 powershell.exe 4872 powershell.exe 3616 powershell.exe 60 powershell.exe 5080 powershell.exe 2252 powershell.exe 5928 msedge.exe 5928 msedge.exe 5236 msedge.exe 5236 msedge.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exedescription pid process Token: SeDebugPrivilege 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 3616 powershell.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 60 powershell.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 5928 msedge.exe Token: SeDebugPrivilege 5236 msedge.exe Token: SeDebugPrivilege 4272 msedge.exe Token: SeDebugPrivilege 5572 msedge.exe Token: SeDebugPrivilege 5072 msedge.exe Token: SeDebugPrivilege 5908 msedge.exe Token: SeDebugPrivilege 6056 msedge.exe Token: SeDebugPrivilege 1144 msedge.exe Token: SeDebugPrivilege 1476 msedge.exe Token: SeDebugPrivilege 3748 msedge.exe Token: SeDebugPrivilege 2308 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.execmd.exemsedge.exeWScript.exemsedge.exeWScript.exemsedge.exeWScript.exemsedge.exeWScript.exemsedge.exeWScript.exemsedge.exedescription pid process target process PID 4580 wrote to memory of 2252 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 2252 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 4872 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 4872 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 3616 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 3616 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 1120 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 1120 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 2112 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 2112 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 4552 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 4552 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 4332 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 4332 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 1212 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 1212 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 2404 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 2404 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 1376 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 1376 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 5080 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 5080 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 60 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 60 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe powershell.exe PID 4580 wrote to memory of 4360 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe cmd.exe PID 4580 wrote to memory of 4360 4580 d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe cmd.exe PID 4360 wrote to memory of 5580 4360 cmd.exe w32tm.exe PID 4360 wrote to memory of 5580 4360 cmd.exe w32tm.exe PID 4360 wrote to memory of 5928 4360 cmd.exe msedge.exe PID 4360 wrote to memory of 5928 4360 cmd.exe msedge.exe PID 5928 wrote to memory of 1248 5928 msedge.exe WScript.exe PID 5928 wrote to memory of 1248 5928 msedge.exe WScript.exe PID 5928 wrote to memory of 4536 5928 msedge.exe WScript.exe PID 5928 wrote to memory of 4536 5928 msedge.exe WScript.exe PID 1248 wrote to memory of 5236 1248 WScript.exe msedge.exe PID 1248 wrote to memory of 5236 1248 WScript.exe msedge.exe PID 5236 wrote to memory of 3660 5236 msedge.exe WScript.exe PID 5236 wrote to memory of 3660 5236 msedge.exe WScript.exe PID 5236 wrote to memory of 768 5236 msedge.exe WScript.exe PID 5236 wrote to memory of 768 5236 msedge.exe WScript.exe PID 3660 wrote to memory of 4272 3660 WScript.exe msedge.exe PID 3660 wrote to memory of 4272 3660 WScript.exe msedge.exe PID 4272 wrote to memory of 2156 4272 msedge.exe WScript.exe PID 4272 wrote to memory of 2156 4272 msedge.exe WScript.exe PID 4272 wrote to memory of 5532 4272 msedge.exe WScript.exe PID 4272 wrote to memory of 5532 4272 msedge.exe WScript.exe PID 2156 wrote to memory of 5572 2156 WScript.exe msedge.exe PID 2156 wrote to memory of 5572 2156 WScript.exe msedge.exe PID 5572 wrote to memory of 1620 5572 msedge.exe WScript.exe PID 5572 wrote to memory of 1620 5572 msedge.exe WScript.exe PID 5572 wrote to memory of 2120 5572 msedge.exe WScript.exe PID 5572 wrote to memory of 2120 5572 msedge.exe WScript.exe PID 1620 wrote to memory of 5072 1620 WScript.exe msedge.exe PID 1620 wrote to memory of 5072 1620 WScript.exe msedge.exe PID 5072 wrote to memory of 4332 5072 msedge.exe WScript.exe PID 5072 wrote to memory of 4332 5072 msedge.exe WScript.exe PID 5072 wrote to memory of 4300 5072 msedge.exe WScript.exe PID 5072 wrote to memory of 4300 5072 msedge.exe WScript.exe PID 4332 wrote to memory of 5908 4332 WScript.exe msedge.exe PID 4332 wrote to memory of 5908 4332 WScript.exe msedge.exe PID 5908 wrote to memory of 3920 5908 msedge.exe WScript.exe PID 5908 wrote to memory of 3920 5908 msedge.exe WScript.exe PID 5908 wrote to memory of 6108 5908 msedge.exe WScript.exe PID 5908 wrote to memory of 6108 5908 msedge.exe WScript.exe -
System policy modification 1 TTPs 36 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exed22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exemsedge.exemsedge.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jGqiFaSSq9.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5580
-
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3aeaf30-ec2d-4062-8753-d75b914ee0f7.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5236 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74095c27-d6e7-448c-ba30-16da661cb3a8.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4272 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5a798ce-8ebb-422f-8206-10049fa3dc06.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20fc5d14-4655-4450-ae27-78d5c89beed8.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5072 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ae8f19c-18ff-4d9b-b676-0903b219d3f7.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee0f7703-bf12-487c-ac5c-74ebb31ad978.vbs"14⤵PID:3920
-
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:6056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\830863da-5757-478a-8920-35a7c9cc8df1.vbs"16⤵PID:4408
-
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79c743ba-4c94-49d3-b6f2-eb0749e8603c.vbs"18⤵PID:360
-
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1476 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\694691a3-e46e-4ab7-95c7-8163949e9d42.vbs"20⤵PID:3844
-
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3ea442c-665d-41cf-b011-e26b17699af3.vbs"22⤵PID:696
-
C:\Program Files (x86)\Windows Portable Devices\msedge.exe"C:\Program Files (x86)\Windows Portable Devices\msedge.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2308 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40fdec03-baf2-422b-96cf-1b3077d98abc.vbs"24⤵PID:5328
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6646480-4df7-42eb-8439-9707aa63c8e7.vbs"24⤵PID:5480
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3946246e-4aa0-458d-bfee-eb64cdaf5b51.vbs"22⤵PID:3840
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7dbbf7b-a77d-4f91-ab68-8d30953dc6be.vbs"20⤵PID:5568
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a896905a-18ea-499c-b6d4-e029b1311946.vbs"18⤵PID:5784
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\175088a7-dc06-4c39-a39a-cb8dea505bd5.vbs"16⤵PID:3480
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43a5f508-1817-4b50-a249-d087cbe0408c.vbs"14⤵PID:6108
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35556fa9-437e-49ee-99c5-e4edaef59169.vbs"12⤵PID:4300
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e53e707-8cce-4368-a821-ac18000885a1.vbs"10⤵PID:2120
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b255d3b-180e-4f89-a014-5d5044b333bc.vbs"8⤵PID:5532
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7316da4c-dadb-492f-9f85-9a1c562d2ed3.vbs"6⤵PID:768
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69179080-53d6-4d34-96d4-50f017890b97.vbs"4⤵PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\odt\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\MsEdgeCrashpad\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\MsEdgeCrashpad\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellExperiences\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\lib\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\lib\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk-1.8\lib\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\odt\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Pictures\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\odt\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵PID:3164
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD53032aa522025dbaeeab38849a8e22834
SHA1620c3eaba0c3cc783d65953a363c3f416b3c1525
SHA2563aa92b5a298842306d2cf08dfadc0e475a72e14c7583f722fa206b8fba465642
SHA512e0730014e28f9b9157e30ff6dc1a48935c0c57f1630af3d94de22ee59aba9638460f05c692139aaecf3bfbf304cb184ca1efc9c6c05d39fc22d2d7b86248532b
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
Filesize
944B
MD5293a5e452e148112857e22e746feff34
SHA17a5018bf98a3e38970809531288a7e3efb979532
SHA25605e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA5127332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
734B
MD5ab5d096248538e4a9c52dda8b397a4e5
SHA17e60e4ac1b077b2cba8daa3284f3eeb6be144163
SHA256a42088dc4cf35b63fdac6835d6058b6c1dc1ce1d696fa58c730830d5b4e3ce9c
SHA5123e34042ee807678da2a3cb3d5593a1a793cb7fb2fdb1efd116894c92838942920d0da4cce6a3f6d2421c6f1b643d664c799aa1b3241f237b984d723ea45d827f
-
Filesize
734B
MD5b7b1e08431c5d6238fa01eb8f0a4372b
SHA10744592ca780155a778337b5426118dac64ef450
SHA256e68a99b7ca3fa475f6a2bf674e7669c052f8f16b6a315b38ae84410950de2f94
SHA5126caf2fc940ddc054bd2733ed30994fea86837435ce44f6d2c4b646467489007f5f58e465b2648a8563f4d922f1b072cc779cea7c3e91f62ef31d2949a00a4a82
-
Filesize
734B
MD523502198ef4693054cdb295a3a6015ad
SHA1904abadbe303baeadda8c00a212f25a0f55cda68
SHA2569143c47566ece8ddfcfafe0729adb92f1900245b594163065be1301c93d64305
SHA512f541efe3ad993807488da3ba4872850df70431c36f87c5673bd8f2fc6443929fc7d7abf64cdeabcd27256b2de9c54f609b651db720b1ddabc961b2ae5897ed4c
-
Filesize
510B
MD578a858a2c041377142ab18f6843f8c40
SHA1a817622c66144d8da71282157e78a110a86cb7d7
SHA25676638e09458d072a44d51185788723c14f4de5952923a749a406f2b199befe2d
SHA51201cd2fd9f769d027ba453f7c9a07faedb400f0d81d7dd262325a9f44f701653b11ed3a20d5e8f25a73c691c3c1eb5c1702d3770127d5dd78a151b69813a8959f
-
Filesize
734B
MD5f15158e52cef3e65f1ba1c99ca3740dc
SHA1f7e6ae40f0cb24a86ed4245cb523ea51a16b636b
SHA256835bea0d1304727d67c26b85f287917f3d3564f4ae5ebc64104e577344f88d78
SHA5121e6ef42561cd9f81d50ad67765e44e081e18e4182549b6e4489f5aa10665ea07df3119c134a3c221ed37c1580cb4c30276e61fd076d04caf3d4e61fe7e288a46
-
Filesize
734B
MD508c85a706a4c9793a9b58c5483ac75a2
SHA188f4fb3ab8b0c6e41380be2cfc44329e73784048
SHA256627949c9e1526bdc59fe75fb63bf15eaa0230e808b173a12843ca4704d5424b9
SHA5123f118342beed7b3f2fabda32b427172c32091226ecd5d6ba4d1e0f212e25d7b606069efc1931a27b4e5575f8b117e725f81e7417241316d9d85a4ee8fa7312d4
-
Filesize
734B
MD5b472e169c7f22721424254f80c25fb7d
SHA16ff191aff00a6e124dd4d94c7a239b6b4b7da3e7
SHA25607f6626725479feb7bf4d68504dcabe7d3803694ecfc0ff56b1fc94a094286ad
SHA5126c0cbfb243593ca3047b831c567cbcaaa16162eac178bc06ed0fa80c078f5986fd6e08ab64f4fa4e0a46b285d3227a009c92d0deba43b5dcbbfa6ec760d0a316
-
Filesize
734B
MD5e9e9b7cca7c2d927cb32c337a1bbd3b6
SHA1f16e06187a6759ec8121a4b44a4927c3a0a6d24d
SHA256464265d4a8e952b594a79c9f2f3f91af2161b43a002ccbb553b5aee5a185eb3f
SHA5125edb36601a2f46b725be3138caababb9754812386a92147e36ff826eb3bf964d7fc7f2790bd270fbc1ec41d05f33983b10a6c5e71667dbb23d4db3e726f127e0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
734B
MD5377d7fa276960260c633abc33f5a4c26
SHA1f3e6fda338c54d737f213bb10a4f2725281be0d0
SHA256cd8905c8da5ec97bd33d07740db2083bb4fcc374c5ac35237dd13595ef040aec
SHA5123a008aa43d5358513186ed69f751d5647818d560a8a9c69b0c62d11bfba5a6baeaf4262264e2ee3905d5f1f043dcdd04df964562d94eb14d02806f75c271bbae
-
Filesize
734B
MD5899246acab8e1ce1ff33faa8011d3fe3
SHA18ed14133c74af96f5f0daf066062707983da9b1a
SHA2566a68d50c40981500d414f9336067ce71abd246cf6038aa3749831c663a78fe42
SHA5129930790797b2ca347a74031c785395b3eae37d73c5348a86fcb8bbff807ad986c4a50b57c702c20da9666fbb32b716511845222fb6e2c80e2618c82aafcdf593
-
Filesize
734B
MD5da3fa5ef38a2c58e1eac304a9b81e467
SHA195e8d959fef2a99e31cadb4b378d39dcb7277479
SHA2562f627b7362e82b20184e68e5eaa301b1b6aa2ae2533013c153a3e195a27a79e1
SHA51251ea252905717cacdfc787d44bfc630cfbe346beefeae3e87176cdc51b8d6666b597b030d1e73d5868639222655ce2f725432e86e7d713ad575436d7b3606f73
-
Filesize
734B
MD555944fe177feb17eaf80d1aff7523c4c
SHA14144e536236edc9098b50fc9e0707694580fb18e
SHA25606ff00c7fef060675fc715aa32f6bd9ba5faa8dfce3d3ea5fe418a39cbd3fd9b
SHA512cfc62aee8e3c4c6477927a4dc4b203c18773c6325f1bef47eb15e7bcdf575599773c9b5d40fd5fa7355a517970ae68d3dc44b2f4df3f33e2b1b7f86b34701445
-
Filesize
223B
MD58e369f2df73d1f2de2fbc3e73b03961b
SHA116eebccc40ec780f0b2d56dd1244f3f65a228b08
SHA25616ecd977c0a989e2f636e192108ea4f04e713dce9d3019921b53eb0eb21cdc1e
SHA512596feb099eb56a071ea8b684aeba18d66228719156e4a65b44c2a2a149b7f8058e192598b45fbbfe4c26d167e3192c5fe191f540e8157baa8fb70052161ce17e
-
Filesize
2.9MB
MD5d22bc2c281eda0bd630673443da3d2f0
SHA131f11ef93b4a2d28a6445090128e37c32a58661c
SHA25638f4b04c7fe1ce4d8ce9e43eb0df87bdb03c0f3b432daa8670be4750bab542b6
SHA51276c82f89813b8e2e40a90b2347a971599a5afbf7a0484c99b74a3ddcb3cdeb330b94b9efbb111159603a17f64f8621ecbffa90c1c0c8c4fded469e0575044538