Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 07:43
Behavioral task
behavioral1
Sample
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
7d51904b084c1d1037f17ed8aaa57a70
-
SHA1
d2d0d38ca329c1cb2fa955c8fbb3f12cb28fc05d
-
SHA256
8d23e71c63a93438c953695aa9cc56ca5a8a2b05ad94ba7535698add6dad98e6
-
SHA512
cb0065905907951367375dde96c9c6e4b27ffa041c4ab870e03744d94ef091010396e77fa6ff26e2b1677e36c7254ee953d23ffa707e1ffe79f939cfd91d8582
-
SSDEEP
49152:nC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:nC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 708 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 1668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 1668 schtasks.exe -
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/2340-1-0x0000000000280000-0x00000000005BC000-memory.dmp dcrat C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe dcrat C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe dcrat C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe dcrat C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe dcrat C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe dcrat C:\Program Files\Windows Mail\ja-JP\wininit.exe dcrat behavioral1/memory/1676-307-0x0000000000800000-0x0000000000B3C000-memory.dmp dcrat behavioral1/memory/1788-320-0x0000000001380000-0x00000000016BC000-memory.dmp dcrat behavioral1/memory/1468-378-0x00000000001B0000-0x00000000004EC000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 556 powershell.exe 688 powershell.exe 2436 powershell.exe 2492 powershell.exe 2132 powershell.exe 1520 powershell.exe 2688 powershell.exe 1416 powershell.exe 536 powershell.exe 2704 powershell.exe 1564 powershell.exe 1732 powershell.exe -
Executes dropped EXE 7 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exepid process 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1788 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2856 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2144 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2412 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2092 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1468 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Drops file in Program Files directory 20 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\886983d96e3d3e 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files\Windows Mail\ja-JP\wininit.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX3002.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX3003.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\RCX44EB.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCX2BF9.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\dwm.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files\Windows Mail\ja-JP\56085415360792 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCX2B8B.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\dwm.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\RCX4559.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\wininit.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\9b2dce32fb4010 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX426A.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX42D8.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\Vss\Writers\RCX24F1.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Windows\Vss\Writers\lsm.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Windows\Vss\Writers\lsm.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Windows\Vss\Writers\101b941d020240 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Windows\Vss\Writers\RCX24F0.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3048 schtasks.exe 1432 schtasks.exe 2572 schtasks.exe 2244 schtasks.exe 944 schtasks.exe 2432 schtasks.exe 2464 schtasks.exe 2820 schtasks.exe 1664 schtasks.exe 1788 schtasks.exe 328 schtasks.exe 548 schtasks.exe 2004 schtasks.exe 768 schtasks.exe 2016 schtasks.exe 1808 schtasks.exe 2704 schtasks.exe 544 schtasks.exe 1368 schtasks.exe 644 schtasks.exe 1852 schtasks.exe 1560 schtasks.exe 1568 schtasks.exe 2000 schtasks.exe 1796 schtasks.exe 2924 schtasks.exe 1332 schtasks.exe 584 schtasks.exe 2156 schtasks.exe 1520 schtasks.exe 2628 schtasks.exe 2856 schtasks.exe 1600 schtasks.exe 916 schtasks.exe 2952 schtasks.exe 1944 schtasks.exe 2084 schtasks.exe 1124 schtasks.exe 608 schtasks.exe 708 schtasks.exe 2360 schtasks.exe 1004 schtasks.exe 1736 schtasks.exe 2828 schtasks.exe 1228 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exepid process 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1416 powershell.exe 556 powershell.exe 1732 powershell.exe 688 powershell.exe 2132 powershell.exe 2704 powershell.exe 1564 powershell.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1520 powershell.exe 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 2688 powershell.exe 536 powershell.exe 2436 powershell.exe 2492 powershell.exe 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 1788 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 2856 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 2144 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 2412 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 2092 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 1468 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeWScript.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeWScript.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeWScript.exedescription pid process target process PID 2340 wrote to memory of 2492 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2492 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2492 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2132 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2132 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2132 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2704 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2704 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2704 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1564 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1564 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1564 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1520 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1520 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1520 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 536 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 536 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 536 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1732 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1732 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1732 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 556 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 556 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 556 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 688 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 688 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 688 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2688 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2688 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2688 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2436 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2436 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 2436 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1416 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1416 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1416 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 2340 wrote to memory of 1676 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 2340 wrote to memory of 1676 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 2340 wrote to memory of 1676 2340 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 1676 wrote to memory of 2696 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 1676 wrote to memory of 2696 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 1676 wrote to memory of 2696 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 1676 wrote to memory of 784 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 1676 wrote to memory of 784 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 1676 wrote to memory of 784 1676 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 2696 wrote to memory of 1788 2696 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 2696 wrote to memory of 1788 2696 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 2696 wrote to memory of 1788 2696 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 1788 wrote to memory of 2004 1788 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 1788 wrote to memory of 2004 1788 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 1788 wrote to memory of 2004 1788 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 1788 wrote to memory of 2016 1788 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 1788 wrote to memory of 2016 1788 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 1788 wrote to memory of 2016 1788 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 2004 wrote to memory of 2856 2004 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 2004 wrote to memory of 2856 2004 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 2004 wrote to memory of 2856 2004 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 2856 wrote to memory of 708 2856 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 2856 wrote to memory of 708 2856 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 2856 wrote to memory of 708 2856 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 2856 wrote to memory of 1584 2856 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 2856 wrote to memory of 1584 2856 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 2856 wrote to memory of 1584 2856 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 708 wrote to memory of 2144 708 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
System policy modification 1 TTPs 24 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\048bf34c-d2d9-43b1-b4fc-a1beab3e12e5.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1788 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc55f815-c192-4012-afed-ec2050c9fd00.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2856 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5bf4987-de4f-48fe-b8c4-1175fc34a508.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b821b74-d73a-4888-852c-373a3656384c.vbs"9⤵PID:924
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2412 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255e8bea-5310-4886-91c8-d55f9434765e.vbs"11⤵PID:1540
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2092 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5aedc89-e535-4572-aaad-2ebe8198bb80.vbs"13⤵PID:2068
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba23441d-9b88-47af-8863-69160435d031.vbs"15⤵PID:3048
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f11a8482-f74a-4e0a-b357-b15678f1ee9b.vbs"15⤵PID:472
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cf08891-b2d3-40fc-b803-00a980a49643.vbs"13⤵PID:600
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7566dec5-e549-4af3-85e6-b06a2bf69a93.vbs"11⤵PID:1676
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f463f9aa-8cbd-4d81-a2da-97788419d389.vbs"9⤵PID:2356
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfa4b9a3-4bfc-46d0-8660-2d39514c157a.vbs"7⤵PID:1584
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9904c07-e2d8-41b6-a7cc-b0954845aa34.vbs"5⤵PID:2016
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fba3d8c5-ca61-488f-a15e-706e4e898e62.vbs"3⤵PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\RAC\StateData\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\RAC\StateData\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\RAC\StateData\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exeFilesize
3.2MB
MD5ba648fa71f9cbdb85fa39a1d93ac46e0
SHA1d7a558b740b8d357b5cb07521b829e2d652d27ce
SHA2564040c52d2d8fa26bda4fb27966df06d22b6464e6469e13ef27acec12f910ef6e
SHA51231f947b68daf5970f1da2b2a7662ae1d2dd6d2c7343fd637fbdf20183cf3dd221d774ce0acadf727d6e12b0569de7107bee0eb6f35998108e2ec0a780128921c
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeFilesize
3.2MB
MD5def5cc475b4ddbb74591090a003800a0
SHA1999536842aa5dded92fbe349e7615371e8af88e7
SHA2568e63ade21b522337c0c5f002328e2e736aa1c495a0782e45dbbfec99f9a61e77
SHA512700765c73628e38ca224acaf916eab03f0c355754c84b30da6d86fe1400f56984642bf6696d51bf78ee9b4ed14678c658925d183a6c4dc658cc24e3a144c65aa
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\csrss.exeFilesize
3.2MB
MD56f4257068187524fd1ee8c16e4c30051
SHA10ff6842342e227d660a6e99d3ceb7cb225f86a34
SHA256f4188b8d6a49c212b5a15a2b04f2da9216aef4f504b644552e9dc3e74a17dec7
SHA512984f92e344919019a9ce8b9beae3bd44990ff42edc686ecaa44ba4c68c7157f1721bd2df62f6255cb87da7703f6987c325e2ec46603ac96fa72c4799e17179cc
-
C:\Program Files\Windows Mail\ja-JP\wininit.exeFilesize
3.2MB
MD5c89375a74a9fe882f2ef549f733a937a
SHA127aa7189430dd79de73e017b3d1c598235038363
SHA256b067184b0042fb8a8046d0aa6f19cfd47548f39793f232a243c68f38b3b210ac
SHA512e2f64e3a78489d3ef2477839ad922ebf0c7726f8f1132c315db16c34d2bc52d097937fcb54930780b46711b4c79517404d48b1f3cc30e36fb6c8124d12918c27
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeFilesize
3.2MB
MD57d51904b084c1d1037f17ed8aaa57a70
SHA1d2d0d38ca329c1cb2fa955c8fbb3f12cb28fc05d
SHA2568d23e71c63a93438c953695aa9cc56ca5a8a2b05ad94ba7535698add6dad98e6
SHA512cb0065905907951367375dde96c9c6e4b27ffa041c4ab870e03744d94ef091010396e77fa6ff26e2b1677e36c7254ee953d23ffa707e1ffe79f939cfd91d8582
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exeFilesize
3.2MB
MD59a2cbfc7864b6b50bf38eda58b3ab2ee
SHA17b7223521f787d072988e855845405be1c8b34ab
SHA256b5560c76b04fbe092bde21e33fc8aca79960a1a5ea931c499ed2b240586a66dc
SHA51258a538d72b01768d26dc11fd2be8ceb7cc90676d7013fe7a4a4e320240cbf7a47665f729ec191534a61c40a7bb357eaed49a0bdcd53751a63139203806e47202
-
C:\Users\Admin\AppData\Local\Temp\048bf34c-d2d9-43b1-b4fc-a1beab3e12e5.vbsFilesize
790B
MD5eec05329a4489e1168914c89ba939573
SHA1a954d18b320e74474c534336f05a57ab2fb186ce
SHA256df3b5aabee4ef9df365d97fdea914b1e9feb1fbfe49133564616af5eca25dcbf
SHA5126de010275d201d2260731247a9fb3fdf89161153f8fcde774f2b7839c9714d23cdbe23f6a3df409c663747e890764aa97bbcdbbf14231e1cf3a9f4f92896df08
-
C:\Users\Admin\AppData\Local\Temp\255e8bea-5310-4886-91c8-d55f9434765e.vbsFilesize
790B
MD5bf7b7fc7a1258e986f9a33329276e650
SHA18003d1cc2ef8a5432d799fa3eaaf218b7b6a5ecb
SHA2569f7363ba0568b3cf416accb9dc7cb03b6b5cdd5e2776ffc55f1234e8df4abe34
SHA512f456ed36b7eea4d986f365521ab1066b1bfd07c2dbde31e3e8eaa6c11f32c030a3c49a3e058cd4ba8572ffdd294a0f421ad82d1864b39a16c846e994d10fd154
-
C:\Users\Admin\AppData\Local\Temp\5b821b74-d73a-4888-852c-373a3656384c.vbsFilesize
790B
MD577eae0688b1c831b823ce6255d04d726
SHA116602f7ee28f45211c4922eb8c5b34f2ce4dcd7a
SHA256505ce828fbc642a3a9839c33031e1cd7b9354778e0b84f64372f181e1cadd077
SHA512fec03c237a534275b5ad856ab5ffe791fd1ca641efddceccd86dd34c318b447712e19d79b7dd6b95e9d1c47413cd2522660716705f454f01eda291265ab9c605
-
C:\Users\Admin\AppData\Local\Temp\a5aedc89-e535-4572-aaad-2ebe8198bb80.vbsFilesize
790B
MD544d77c7fbcc9698a997da96a581a5f3f
SHA180618216f148467a05cfe221941412cdef87330d
SHA25626a8d7b812cd4894684c86f330425b8669dcc8eff2c0555dcd5e20545f303d65
SHA512ba46b340dda3333cc0c4ac88d8db579d08143d9825e89723af6fa38642cff3bb12417907a0c44de3fb336aa376644fe64cd0b91f2323a0f7c6846b79f3b03213
-
C:\Users\Admin\AppData\Local\Temp\ba23441d-9b88-47af-8863-69160435d031.vbsFilesize
790B
MD530df9ab87ead37b3435954a97a9e266a
SHA16e48d29f69c90226587b5426d0b323bce2454408
SHA256a06adb2fb35c447c8ca680ea70430184d8939eadf1db44b3ca96e06eec90da8f
SHA512ac76a87d16979b7ae28f04b665095677790eff147ec93cdc4b7f23ac6c1fecb3ac5e424d3110d54bdb9c11242744820948a0d300e6a46309ba3595ea067c6f06
-
C:\Users\Admin\AppData\Local\Temp\c5bf4987-de4f-48fe-b8c4-1175fc34a508.vbsFilesize
790B
MD5c18bc3440e02205862eacf58e170b80a
SHA1fc5171c630929d4bcd7b770071f1c21b7041d62b
SHA256e5bd0b02dbaa2daa0ac4b0c454f5191e89c76384985fc97852e77e7191240469
SHA5127f85e647dc004371ab25fcae1612e0f30e1ccc173a446a9a2b3f700a2556d4b69da5f1f15910c0c4f7784cc56ae67f474c89288c603b6ffad0ed0f3c05fb8344
-
C:\Users\Admin\AppData\Local\Temp\dc55f815-c192-4012-afed-ec2050c9fd00.vbsFilesize
790B
MD58ca0246a7c5f631319c83c7ca00d3681
SHA1cc058a8273e8fc75972b597d1b3c0924515f60f1
SHA256773b4a37b31085ac4dca9de41d2cfa80ba5926b88fe53b44a28eff6f755b45be
SHA5120255fe9d161f3d2b76a6ce94c2a166df7af825ff35887ccc682a4e954dad185cdd362f02da5d4cbf5a1b233e955f0a510961512b0505edf96ec66303c7bd05b2
-
C:\Users\Admin\AppData\Local\Temp\fba3d8c5-ca61-488f-a15e-706e4e898e62.vbsFilesize
566B
MD5bc816ae6a30d34acd6e670e137a9dfae
SHA1a613ba0dae52aca2f7cf227594a502d0d8a062af
SHA2563179094968692e22c32a27334edd9dee1fff09017e1fa058f4e1711eede0a003
SHA512b5fda4fab2cadfa51decbbda6dc97d4aae1026676d0a97abfccf43d7121cb791d7c3fd638a05321298c166b654cb618b45e8e7100e3ec1af3d001c709c9cd605
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD586033fc6ce1eb4bd3294a05064ec5e46
SHA1a28587c91c172588142676b3c4b6eccde738442c
SHA25642bd54913436eeeb2d8204465a1d83cdad1e7bbc91ee8d977fd5af36d2ace1d4
SHA512f6b38b4e69eb7aac954f6cf784e09a9954576eaadd6fb4f4c308955019288a8631265566cbb8f37022d300307c8935eb6e28aa561aa130280e8be3e2da052776
-
memory/556-256-0x000000001B690000-0x000000001B972000-memory.dmpFilesize
2.9MB
-
memory/1416-261-0x0000000001FC0000-0x0000000001FC8000-memory.dmpFilesize
32KB
-
memory/1468-379-0x00000000008C0000-0x00000000008D2000-memory.dmpFilesize
72KB
-
memory/1468-378-0x00000000001B0000-0x00000000004EC000-memory.dmpFilesize
3.2MB
-
memory/1676-307-0x0000000000800000-0x0000000000B3C000-memory.dmpFilesize
3.2MB
-
memory/1676-309-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/1788-320-0x0000000001380000-0x00000000016BC000-memory.dmpFilesize
3.2MB
-
memory/2092-366-0x0000000001370000-0x0000000001382000-memory.dmpFilesize
72KB
-
memory/2340-14-0x0000000002510000-0x000000000251C000-memory.dmpFilesize
48KB
-
memory/2340-16-0x000000001AB10000-0x000000001AB1C000-memory.dmpFilesize
48KB
-
memory/2340-24-0x000000001AFF0000-0x000000001AFFA000-memory.dmpFilesize
40KB
-
memory/2340-27-0x000000001B130000-0x000000001B13E000-memory.dmpFilesize
56KB
-
memory/2340-26-0x000000001B010000-0x000000001B018000-memory.dmpFilesize
32KB
-
memory/2340-28-0x000000001B1C0000-0x000000001B1CC000-memory.dmpFilesize
48KB
-
memory/2340-29-0x000000001B1D0000-0x000000001B1D8000-memory.dmpFilesize
32KB
-
memory/2340-30-0x000000001B1E0000-0x000000001B1EA000-memory.dmpFilesize
40KB
-
memory/2340-31-0x000000001B1F0000-0x000000001B1FC000-memory.dmpFilesize
48KB
-
memory/2340-33-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmpFilesize
9.9MB
-
memory/2340-23-0x000000001B020000-0x000000001B028000-memory.dmpFilesize
32KB
-
memory/2340-22-0x000000001AFE0000-0x000000001AFEC000-memory.dmpFilesize
48KB
-
memory/2340-21-0x000000001AFD0000-0x000000001AFDC000-memory.dmpFilesize
48KB
-
memory/2340-20-0x000000001ABF0000-0x000000001ABFC000-memory.dmpFilesize
48KB
-
memory/2340-19-0x000000001ABE0000-0x000000001ABEC000-memory.dmpFilesize
48KB
-
memory/2340-18-0x000000001ABB0000-0x000000001ABC2000-memory.dmpFilesize
72KB
-
memory/2340-17-0x000000001AB20000-0x000000001AB28000-memory.dmpFilesize
32KB
-
memory/2340-25-0x000000001B000000-0x000000001B00E000-memory.dmpFilesize
56KB
-
memory/2340-15-0x000000001AB00000-0x000000001AB08000-memory.dmpFilesize
32KB
-
memory/2340-308-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmpFilesize
9.9MB
-
memory/2340-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmpFilesize
4KB
-
memory/2340-13-0x000000001AAB0000-0x000000001AB06000-memory.dmpFilesize
344KB
-
memory/2340-12-0x0000000002500000-0x000000000250A000-memory.dmpFilesize
40KB
-
memory/2340-10-0x00000000006C0000-0x00000000006C8000-memory.dmpFilesize
32KB
-
memory/2340-11-0x000000001AAA0000-0x000000001AAB0000-memory.dmpFilesize
64KB
-
memory/2340-9-0x00000000009B0000-0x00000000009C6000-memory.dmpFilesize
88KB
-
memory/2340-1-0x0000000000280000-0x00000000005BC000-memory.dmpFilesize
3.2MB
-
memory/2340-8-0x00000000006B0000-0x00000000006C0000-memory.dmpFilesize
64KB
-
memory/2340-7-0x0000000000270000-0x0000000000278000-memory.dmpFilesize
32KB
-
memory/2340-6-0x0000000000600000-0x000000000061C000-memory.dmpFilesize
112KB
-
memory/2340-5-0x0000000000260000-0x0000000000268000-memory.dmpFilesize
32KB
-
memory/2340-4-0x0000000000250000-0x000000000025E000-memory.dmpFilesize
56KB
-
memory/2340-3-0x0000000000240000-0x000000000024E000-memory.dmpFilesize
56KB
-
memory/2340-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmpFilesize
9.9MB
-
memory/2856-332-0x0000000000510000-0x0000000000566000-memory.dmpFilesize
344KB