Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 07:43
Behavioral task
behavioral1
Sample
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
7d51904b084c1d1037f17ed8aaa57a70
-
SHA1
d2d0d38ca329c1cb2fa955c8fbb3f12cb28fc05d
-
SHA256
8d23e71c63a93438c953695aa9cc56ca5a8a2b05ad94ba7535698add6dad98e6
-
SHA512
cb0065905907951367375dde96c9c6e4b27ffa041c4ab870e03744d94ef091010396e77fa6ff26e2b1677e36c7254ee953d23ffa707e1ffe79f939cfd91d8582
-
SSDEEP
49152:nC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:nC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 728 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4296 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3448 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3948 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4624 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3536 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 3840 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 3840 schtasks.exe -
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral2/memory/1480-1-0x0000000000AD0000-0x0000000000E0C000-memory.dmp dcrat C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe dcrat C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\RCX6E4C.tmp dcrat C:\odt\RCX7313.tmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2548 powershell.exe 2324 powershell.exe 4752 powershell.exe 4352 powershell.exe 4336 powershell.exe 1600 powershell.exe 3808 powershell.exe 3580 powershell.exe 1216 powershell.exe 2184 powershell.exe 3272 powershell.exe 4340 powershell.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Executes dropped EXE 5 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exepid process 6028 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 5432 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 6024 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 5300 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 3368 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Drops file in Program Files directory 25 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process File created C:\Program Files\Microsoft Office\Office16\9b2dce32fb4010 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\explorer.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX7837.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files\Windows Mail\7a0fd90576e088 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Office16\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\RCX75F3.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\RCX7613.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Office16\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\PackageManifests\121e5b5079f7c0 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Office16\RCX5E51.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\RCX6E9B.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files\Windows Mail\explorer.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\RCX6E4C.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\886983d96e3d3e 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\upfc.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\upfc.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Office16\RCX5E21.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\RCX6075.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX7857.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\ea1d8f6d871115 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\RCX6095.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Drops file in Windows directory 10 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process File created C:\Windows\Fonts\SearchApp.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Windows\Fonts\38384e6a620884 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\SearchApp.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\SearchApp.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\RCX653C.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Windows\security\ApplicationId\PolicyManagement\SearchApp.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File created C:\Windows\security\ApplicationId\PolicyManagement\38384e6a620884 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX58CD.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX591D.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\RCX651C.tmp 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2236 schtasks.exe 3912 schtasks.exe 4564 schtasks.exe 2608 schtasks.exe 384 schtasks.exe 3400 schtasks.exe 4148 schtasks.exe 740 schtasks.exe 2356 schtasks.exe 3720 schtasks.exe 3752 schtasks.exe 3448 schtasks.exe 5044 schtasks.exe 4300 schtasks.exe 3536 schtasks.exe 3940 schtasks.exe 3612 schtasks.exe 3520 schtasks.exe 2884 schtasks.exe 4184 schtasks.exe 4500 schtasks.exe 960 schtasks.exe 4296 schtasks.exe 4964 schtasks.exe 2900 schtasks.exe 984 schtasks.exe 3444 schtasks.exe 728 schtasks.exe 3948 schtasks.exe 4508 schtasks.exe 4144 schtasks.exe 2528 schtasks.exe 2672 schtasks.exe 1544 schtasks.exe 4648 schtasks.exe 1384 schtasks.exe 3244 schtasks.exe 3972 schtasks.exe 3120 schtasks.exe 4624 schtasks.exe 3372 schtasks.exe 4328 schtasks.exe 1188 schtasks.exe 3168 schtasks.exe 1560 schtasks.exe -
Modifies registry class 6 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exepid process 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 3580 powershell.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeDebugPrivilege 4352 powershell.exe Token: SeDebugPrivilege 4340 powershell.exe Token: SeDebugPrivilege 3808 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 4336 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 6028 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 5432 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 6024 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 5300 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Token: SeDebugPrivilege 3368 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeWScript.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeWScript.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeWScript.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeWScript.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription pid process target process PID 1480 wrote to memory of 3272 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 3272 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 1600 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 1600 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 2184 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 2184 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 4340 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 4340 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 4336 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 4336 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 4352 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 4352 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 4752 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 4752 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 3580 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 3580 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 2324 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 2324 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 1216 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 1216 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 2548 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 2548 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 3808 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 3808 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe powershell.exe PID 1480 wrote to memory of 6028 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 1480 wrote to memory of 6028 1480 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 6028 wrote to memory of 5608 6028 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 6028 wrote to memory of 5608 6028 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 6028 wrote to memory of 1104 6028 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 6028 wrote to memory of 1104 6028 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 5608 wrote to memory of 5432 5608 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 5608 wrote to memory of 5432 5608 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 5432 wrote to memory of 2392 5432 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 5432 wrote to memory of 2392 5432 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 5432 wrote to memory of 4332 5432 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 5432 wrote to memory of 4332 5432 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 2392 wrote to memory of 6024 2392 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 2392 wrote to memory of 6024 2392 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 6024 wrote to memory of 2836 6024 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 6024 wrote to memory of 2836 6024 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 6024 wrote to memory of 3312 6024 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 6024 wrote to memory of 3312 6024 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 2836 wrote to memory of 5300 2836 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 2836 wrote to memory of 5300 2836 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 5300 wrote to memory of 5648 5300 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 5300 wrote to memory of 5648 5300 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 5300 wrote to memory of 5332 5300 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 5300 wrote to memory of 5332 5300 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 5648 wrote to memory of 3368 5648 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 5648 wrote to memory of 3368 5648 WScript.exe 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe PID 3368 wrote to memory of 4744 3368 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 3368 wrote to memory of 4744 3368 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 3368 wrote to memory of 6048 3368 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe PID 3368 wrote to memory of 6048 3368 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe WScript.exe -
System policy modification 1 TTPs 18 IoCs
Processes:
7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3808 -
C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47204879-fadd-4fde-88db-1d22272b9a8a.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:5608 -
C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeC:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5432 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\656fe7b8-4505-4982-8588-1c27d08f5021.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeC:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6024 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1634add0-aaee-40bc-92fc-87151904a770.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeC:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5300 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b8036b9-0dd6-4be4-b642-7644d186b43c.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:5648 -
C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exeC:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b33a83c-039f-4c55-9259-5bf6dc74b60f.vbs"11⤵PID:4744
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a0caa2d-179e-4d08-abbe-237c180726f7.vbs"11⤵PID:6048
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d066a01e-846c-4a54-b65d-66394f8e4178.vbs"9⤵PID:5332
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e37b3c2-f373-4f0b-950f-a46702fff52e.vbs"7⤵PID:3312
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8e3db69-7272-46e5-aa5f-ec7da81518d1.vbs"5⤵PID:4332
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a06106c-2ed8-4b6b-954d-40dabbc06730.vbs"3⤵PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office16\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 8 /tr "'C:\odt\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics" /sc ONLOGON /tr "'C:\odt\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics7" /sc MINUTE /mo 5 /tr "'C:\odt\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default\SendTo\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\odt\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\odt\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\odt\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:3752
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\RCX6E4C.tmpFilesize
3.2MB
MD5023b14174d128993a34ea4610fabcb82
SHA16d93f2c4765099b6bf2604b5db8aefd4bb3f2552
SHA256197747fdfcdc7f5df03e7766ae3d662ff0719f892c6cf9dc015cf4d9e54d8063
SHA5122effd49532ebae93967b7e5dd90cea9ff3aa2e08ea59f131e804b469bc9bd403082e15fa92f14c6a782602abdcc5903c24ac76b9981cb7233409b77a58763ff4
-
C:\Program Files\Microsoft Office\PackageManifests\sysmon.exeFilesize
3.2MB
MD57d51904b084c1d1037f17ed8aaa57a70
SHA1d2d0d38ca329c1cb2fa955c8fbb3f12cb28fc05d
SHA2568d23e71c63a93438c953695aa9cc56ca5a8a2b05ad94ba7535698add6dad98e6
SHA512cb0065905907951367375dde96c9c6e4b27ffa041c4ab870e03744d94ef091010396e77fa6ff26e2b1677e36c7254ee953d23ffa707e1ffe79f939cfd91d8582
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7d51904b084c1d1037f17ed8aaa57a70NeikiAnalytics.exe.logFilesize
1KB
MD5655010c15ea0ca05a6e5ddcd84986b98
SHA1120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA2562b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD517fbfbe3f04595e251287a6bfcdc35de
SHA1b576aabfd5e6d5799d487011506ed1ae70688987
SHA2562e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
C:\Users\Admin\AppData\Local\Temp\1634add0-aaee-40bc-92fc-87151904a770.vbsFilesize
748B
MD58c2a3b393c599bd5f1805dec53b2ee48
SHA1381c0a7cdf780fd07a881d513474d99ac944a838
SHA256bd06529600d439456dc9ef2bb8a1c764e273b9e5c38e35b1fa765cd55c459893
SHA512c9e6297ffeeebb9ce884de043047b649c2e4bcc4b4816a2f78ffbc0b46833b3634a4ad3e6f3553da3fd082a0121c6996dee37aecd031f750f1e136026f80ff56
-
C:\Users\Admin\AppData\Local\Temp\1b8036b9-0dd6-4be4-b642-7644d186b43c.vbsFilesize
748B
MD540b1d99dd9ab0c8a06e233a5207e7d1d
SHA13608906c17105664b1bd1ed00ebdc4c5baa6b764
SHA25635f82fbe31a53c4cd46054da89bf0330819f4025cf4634c85d5fdd850d7b014e
SHA512c9da7ffe8886257497356e181872788a4a2e0b272f3169ebca88cc4b0b8cc1fbfbbedbe49e90c0556d861efbd53bcc5a032f078605b416a51afb83d2f2878d86
-
C:\Users\Admin\AppData\Local\Temp\47204879-fadd-4fde-88db-1d22272b9a8a.vbsFilesize
748B
MD576594c969f1f6d9d371a0d7db46dae29
SHA1d28d26998be3f7843aff44c4c529715d0c147823
SHA2560e8977969796274621ad2f713e1ec1a42dc6fd0e0383a8cbca416b7c004e2492
SHA51284f95ccbe2bf8d4ebfc305a52f7a3b88c657924323f6225fac1751d55e7b667dd09276a3a290385ec2403c6fd724b790cd3d14a2c040e6b1a8626e7649faa803
-
C:\Users\Admin\AppData\Local\Temp\5a06106c-2ed8-4b6b-954d-40dabbc06730.vbsFilesize
524B
MD576b1fa5a098ee0679b890f15cd2a49c0
SHA1deb6167e986185e9c5b6ba316d79316392550a09
SHA256e0d74042a93465919b3259c7b41bbb1663bc325f5c1637e45730395673244a0f
SHA512e92de47635b178e26802927f278f070c9ee351d231c9b853826fc22ce00ad4e5231824251627a63375522e0238285cde5f5b99c96d79efa20e270298625fc6ba
-
C:\Users\Admin\AppData\Local\Temp\5b33a83c-039f-4c55-9259-5bf6dc74b60f.vbsFilesize
748B
MD5981b05075a9cd19b641d9b25f24fefdd
SHA1f3cb554411b7fa213d9e9f18cbae28c0be438a58
SHA2560fb79023ff07945710360b12467e833fe5ac58a46d1938c1755ba8d80de760e5
SHA512d3be0341abefbdb2518fc3707b14ccdddd37e0af9678d843f3f9a34cef7998a926675f3bfe31f4e2827e10f0e9f889ba7455cdcdf861c60d8252f66fbd97d9c7
-
C:\Users\Admin\AppData\Local\Temp\656fe7b8-4505-4982-8588-1c27d08f5021.vbsFilesize
748B
MD5d8db568b5335a79e8556263973aa2ec9
SHA1af613a72974b7c5ab989c04fa8d9861b978c0803
SHA256542fa4363cf6dfa118069691749120db648731f60349982ce7e8598db2441d62
SHA512e12d68b835a480f0aa9431ecba555513e7167008b33535db958e264920c41a4c02ecba3500aae61debd680058ff9518cd2169cd157e55188a02aa5a415640aac
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mppsndcc.fll.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\odt\RCX7313.tmpFilesize
3.2MB
MD5469e539e018aa80cf820d336e78acc56
SHA1746ca0b86e815fed3c6887de306c49dd75041259
SHA256e102b4a97971d33cd5d47ece9ca266aff502dcf4fb6ed6ef24c3fd29f7c1cfed
SHA5124051f62a5cba1428c45fe28b15f8c96a7cbfb0daa6e908d525052f660d7f7f584031a80455f11962a6b5b121036e5481c8eb7b3faf64267a2df63fceaf433ccf
-
memory/1480-30-0x000000001C440000-0x000000001C44C000-memory.dmpFilesize
48KB
-
memory/1480-17-0x000000001BAB0000-0x000000001BABC000-memory.dmpFilesize
48KB
-
memory/1480-19-0x000000001C180000-0x000000001C192000-memory.dmpFilesize
72KB
-
memory/1480-20-0x000000001C6E0000-0x000000001CC08000-memory.dmpFilesize
5.2MB
-
memory/1480-22-0x000000001C1C0000-0x000000001C1CC000-memory.dmpFilesize
48KB
-
memory/1480-21-0x000000001C1B0000-0x000000001C1BC000-memory.dmpFilesize
48KB
-
memory/1480-23-0x000000001C1D0000-0x000000001C1DC000-memory.dmpFilesize
48KB
-
memory/1480-24-0x000000001C1E0000-0x000000001C1EC000-memory.dmpFilesize
48KB
-
memory/1480-25-0x000000001C3F0000-0x000000001C3F8000-memory.dmpFilesize
32KB
-
memory/1480-29-0x000000001C430000-0x000000001C43E000-memory.dmpFilesize
56KB
-
memory/1480-28-0x000000001C420000-0x000000001C428000-memory.dmpFilesize
32KB
-
memory/1480-27-0x000000001C410000-0x000000001C41E000-memory.dmpFilesize
56KB
-
memory/1480-26-0x000000001C400000-0x000000001C40A000-memory.dmpFilesize
40KB
-
memory/1480-0-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmpFilesize
8KB
-
memory/1480-33-0x000000001C4B0000-0x000000001C4BC000-memory.dmpFilesize
48KB
-
memory/1480-32-0x000000001C4A0000-0x000000001C4AA000-memory.dmpFilesize
40KB
-
memory/1480-31-0x000000001C490000-0x000000001C498000-memory.dmpFilesize
32KB
-
memory/1480-34-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/1480-35-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/1480-38-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/1480-39-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/1480-18-0x000000001C170000-0x000000001C178000-memory.dmpFilesize
32KB
-
memory/1480-71-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmpFilesize
8KB
-
memory/1480-122-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/1480-16-0x000000001BAA0000-0x000000001BAA8000-memory.dmpFilesize
32KB
-
memory/1480-15-0x000000001BA90000-0x000000001BA9C000-memory.dmpFilesize
48KB
-
memory/1480-14-0x000000001C120000-0x000000001C176000-memory.dmpFilesize
344KB
-
memory/1480-1-0x0000000000AD0000-0x0000000000E0C000-memory.dmpFilesize
3.2MB
-
memory/1480-424-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/1480-13-0x000000001BA80000-0x000000001BA8A000-memory.dmpFilesize
40KB
-
memory/1480-12-0x000000001BA70000-0x000000001BA80000-memory.dmpFilesize
64KB
-
memory/1480-11-0x000000001BA60000-0x000000001BA68000-memory.dmpFilesize
32KB
-
memory/1480-10-0x000000001BA40000-0x000000001BA56000-memory.dmpFilesize
88KB
-
memory/1480-9-0x000000001B920000-0x000000001B930000-memory.dmpFilesize
64KB
-
memory/1480-8-0x000000001B910000-0x000000001B918000-memory.dmpFilesize
32KB
-
memory/1480-7-0x000000001C0D0000-0x000000001C120000-memory.dmpFilesize
320KB
-
memory/1480-6-0x000000001B8F0000-0x000000001B90C000-memory.dmpFilesize
112KB
-
memory/1480-5-0x000000001B8E0000-0x000000001B8E8000-memory.dmpFilesize
32KB
-
memory/1480-4-0x00000000017F0000-0x00000000017FE000-memory.dmpFilesize
56KB
-
memory/1480-3-0x00000000017E0000-0x00000000017EE000-memory.dmpFilesize
56KB
-
memory/1480-2-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/1600-313-0x0000024B7D810000-0x0000024B7D832000-memory.dmpFilesize
136KB
-
memory/5300-483-0x00000000011C0000-0x00000000011D2000-memory.dmpFilesize
72KB