Malware Analysis Report

2024-11-15 05:49

Sample ID 240513-xga7gsac85
Target 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics
SHA256 5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1
Tags
dcrat evasion execution infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1

Threat Level: Known bad

The file 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan

DCRat payload

Dcrat family

Process spawned unexpected child process

UAC bypass

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 18:49

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 18:49

Reported

2024-05-13 18:51

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\backgroundTaskHost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\explorer.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\RCX46DB.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\explorer.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\RCX4B13.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\RCX4B91.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\RCX5986.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\RCX3F83.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\RCX5987.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX3CE0.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX3CF1.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft\System.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX3839.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\RCX3F72.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\RCX46FB.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\System.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX3838.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Windows\Installer\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\RCX526C.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\RCX52EA.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Installer\backgroundTaskHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\backgroundTaskHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 64 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5152 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 64 wrote to memory of 5152 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 5152 wrote to memory of 5556 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5152 wrote to memory of 5556 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5152 wrote to memory of 5596 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5152 wrote to memory of 5596 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5556 wrote to memory of 5732 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 5556 wrote to memory of 5732 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 5732 wrote to memory of 5900 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5732 wrote to memory of 5900 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5732 wrote to memory of 5948 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5732 wrote to memory of 5948 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5900 wrote to memory of 3944 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 5900 wrote to memory of 3944 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 3944 wrote to memory of 3820 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 3820 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 512 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 512 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3820 wrote to memory of 3828 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 3820 wrote to memory of 3828 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 3828 wrote to memory of 1760 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3828 wrote to memory of 1760 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3828 wrote to memory of 3360 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3828 wrote to memory of 3360 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 5192 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 1760 wrote to memory of 5192 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 5192 wrote to memory of 1692 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5192 wrote to memory of 1692 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5192 wrote to memory of 2424 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5192 wrote to memory of 2424 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 1692 wrote to memory of 2556 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 1692 wrote to memory of 2556 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 2556 wrote to memory of 2400 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 2556 wrote to memory of 2400 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 2556 wrote to memory of 5512 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 2556 wrote to memory of 5512 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 5180 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 2400 wrote to memory of 5180 N/A C:\Windows\System32\WScript.exe C:\Windows\Installer\backgroundTaskHost.exe
PID 5180 wrote to memory of 5580 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5180 wrote to memory of 5580 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5180 wrote to memory of 5796 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5180 wrote to memory of 5796 N/A C:\Windows\Installer\backgroundTaskHost.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Installer\backgroundTaskHost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Default User\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Installer\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\Installer\backgroundTaskHost.exe

"C:\Windows\Installer\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd466347-92fe-4b91-923b-4398af225e25.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\393a414d-170c-4035-9237-ccbab26d0fe4.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e60444e0-ec8a-4512-a96a-9e8c27278085.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d84be767-7b84-4364-87e4-e05b952a2fb6.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a71532b-f9ce-4534-8df9-4b221000b439.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3847b708-f7b1-4ffe-a090-eb1204cebec4.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea6cf745-b8c8-4d51-a3e3-9214842eddd2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73a7f493-a41e-4b05-a830-87dc0c8c0394.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f6e3723-c975-4187-af4e-1a03587fbbac.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0d44e7f-73a8-4941-a0f2-87f432ce411b.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\789b5567-4d03-457b-b34a-a8a336cdac71.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96842741-b1ea-4799-945e-1af8b0bab2c1.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84102f20-aa3c-41a3-b2ce-dc2a6492decb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d520f40-e0d2-4b96-b966-51eed767b24e.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b892d72-d363-434a-96a9-40e0fdcb016d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43505a82-b053-43c4-82aa-5bd01f2f110d.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c51f102-bb6e-4a60-83e7-282963469afb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b46a32-3a15-44cd-99ef-f934261178cc.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e9d9a49-1964-40e0-a87c-956dab7af13d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dc696be-1579-4f94-a57d-e5741f2001aa.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e509c3c8-ea34-49f8-810e-9046cb579038.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\537b7048-6230-4cd6-a6be-04b9a1e303d4.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bd621da-46e5-412f-b7e4-c55f0f04d253.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f668c87d-67f1-44d1-aaab-ce327250d57b.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dba74704-55f4-48c4-b364-deafda8e0859.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b215e46b-e662-49ec-9a96-22aebdadc046.vbs"

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\Installer\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40633a2a-42d8-493b-97e7-45bc549b1f1a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f8c7ff4-8b41-42b1-a755-4efb9389b134.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 74.145.14.145.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 17.145.14.145.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp

Files

memory/64-0-0x00007FF83E493000-0x00007FF83E495000-memory.dmp

memory/64-1-0x0000000000EE0000-0x000000000121C000-memory.dmp

memory/64-2-0x00007FF83E490000-0x00007FF83EF51000-memory.dmp

memory/64-3-0x00000000031C0000-0x00000000031CE000-memory.dmp

memory/64-4-0x00000000031D0000-0x00000000031DE000-memory.dmp

memory/64-6-0x000000001C460000-0x000000001C47C000-memory.dmp

memory/64-7-0x000000001C4D0000-0x000000001C520000-memory.dmp

memory/64-9-0x000000001C490000-0x000000001C4A0000-memory.dmp

memory/64-12-0x000000001C520000-0x000000001C530000-memory.dmp

memory/64-11-0x000000001C4C0000-0x000000001C4C8000-memory.dmp

memory/64-10-0x000000001C4A0000-0x000000001C4B6000-memory.dmp

memory/64-13-0x000000001C530000-0x000000001C53A000-memory.dmp

memory/64-14-0x000000001C540000-0x000000001C596000-memory.dmp

memory/64-17-0x000000001C5B0000-0x000000001C5BC000-memory.dmp

memory/64-19-0x000000001C5D0000-0x000000001C5E2000-memory.dmp

memory/64-18-0x000000001C5C0000-0x000000001C5C8000-memory.dmp

memory/64-16-0x000000001C5A0000-0x000000001C5A8000-memory.dmp

memory/64-15-0x000000001C590000-0x000000001C59C000-memory.dmp

memory/64-8-0x000000001C480000-0x000000001C488000-memory.dmp

memory/64-5-0x000000001C450000-0x000000001C458000-memory.dmp

memory/64-21-0x000000001C600000-0x000000001C60C000-memory.dmp

memory/64-20-0x000000001CB30000-0x000000001D058000-memory.dmp

memory/64-22-0x000000001C610000-0x000000001C61C000-memory.dmp

memory/64-23-0x000000001C620000-0x000000001C62C000-memory.dmp

memory/64-24-0x000000001C630000-0x000000001C63C000-memory.dmp

memory/64-29-0x000000001C880000-0x000000001C88E000-memory.dmp

memory/64-25-0x000000001C750000-0x000000001C758000-memory.dmp

memory/64-31-0x000000001C8A0000-0x000000001C8A8000-memory.dmp

memory/64-28-0x000000001C870000-0x000000001C878000-memory.dmp

memory/64-33-0x000000001C900000-0x000000001C90C000-memory.dmp

memory/64-32-0x000000001C8F0000-0x000000001C8FA000-memory.dmp

memory/64-27-0x000000001C760000-0x000000001C76E000-memory.dmp

memory/64-34-0x00007FF83E490000-0x00007FF83EF51000-memory.dmp

memory/64-26-0x000000001C740000-0x000000001C74A000-memory.dmp

memory/64-30-0x000000001C890000-0x000000001C89C000-memory.dmp

memory/64-37-0x00007FF83E490000-0x00007FF83EF51000-memory.dmp

C:\Recovery\WindowsRE\sysmon.exe

MD5 00195dc23ea8cc5cb728c411f684ff40
SHA1 604a8ca144781805d4ea73de01caee8ba98c176d
SHA256 5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1
SHA512 218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd

C:\Recovery\WindowsRE\sysmon.exe

MD5 ff222e397f441a440de414c09064304a
SHA1 3e33e71af577bc1b7b354142db331e325dd0538a
SHA256 7023170888f8977ee69849eb6116ce29f3e3d0bfaf5da693924c090d8c026d4b
SHA512 deeb3fd3843ec75337e62498ca930f43ca4b354345ec17fe10da1d650aa6398dca45f9a245bc6c3243c36aa51a6e2aeb52404c4d5d01f4f814125a96c5b1aaa0

C:\Program Files\Google\OfficeClickToRun.exe

MD5 dceca7f3ae5b7b4ca38a75686334b969
SHA1 a52f18b1467bcfb97ba524f874cafd8c2d1ac232
SHA256 15b8e3c8afe0b2dcb7f3398f0c97430e16fd4aa054eaff2bae8a7cbde711af60
SHA512 13209c752372537374c8479e9998b9c4e14c383aa3a2fa57e4a09d63ff50cb28d45ab1a75cfb4319cc0bb3b7bedce7043c72a05c15df69bfdd69c74a63d336fb

C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe

MD5 07e03442a170375f42e22b479ea0c7f9
SHA1 4d2726dc3fff0812950233be63b5264ff07b44bf
SHA256 6c778e1f8c4e18077559753829514ebaffbd56e4a5f5cc95278663596865e272
SHA512 f03a7db30a1a267beabcb43effc1364199403fa75c07073efc5a81f97a0474bd5f7f7b3acd4e46a1730a77bfce3d3c21012a101fca65c99ece03bc5343d43eae

C:\Windows\Installer\backgroundTaskHost.exe

MD5 97c77684fa148562c56a1b1da6a926b4
SHA1 c690a41cc2fcd78047a3d25e4774248ea8b8ae1c
SHA256 caf4418761f342717515e968e60c292b267379f1cc3aacd392551cc2a2e8f58b
SHA512 127a3c036797d8ad4175288741e952151bf693ff2841ce327ef95004be67f6ed6cb5e98e68c0d96de228e07673c7dd47e59ad2b7b6b7e3c6c39a153147e88f29

memory/1524-290-0x0000016529F30000-0x0000016529F52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_holj3jm3.3my.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5152-392-0x0000000000C50000-0x0000000000F8C000-memory.dmp

memory/64-393-0x00007FF83E490000-0x00007FF83EF51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Temp\dd466347-92fe-4b91-923b-4398af225e25.vbs

MD5 7e5c931533642b309539c913ab0a1693
SHA1 93f9e4afafe187a149c2615aafa558feeab19be8
SHA256 f063f020fb833db7968561146312993d5dea5682c4469e8136bdeff50ca67d16
SHA512 8956528c5bbd28c35806b019ba80e7749e2f0c6bab8fc835c3f3eda05ebf3aecd7d77702768d42fc0107496fb9d49e47a9e95ec46c9ddf094f18da9b76a65538

C:\Users\Admin\AppData\Local\Temp\393a414d-170c-4035-9237-ccbab26d0fe4.vbs

MD5 76accfec88f25e1895b4397b1ae1de3f
SHA1 2c6bd88e43758110e5feb8318a0481aded5e1d96
SHA256 638222d3abd9eae17158735954f40dde467c86ce02eea50eeb86b19ca3b12409
SHA512 e93e99f8ee24c64cf0b830d793f76cb6b0341d31e264d9a68fe829f1b61ce1d15c5fa34a95f3b0eafc01014d5aa9e81eceffe17b7a51cf3e5bcb93bd7ff9e5d9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Users\Admin\AppData\Local\Temp\e60444e0-ec8a-4512-a96a-9e8c27278085.vbs

MD5 e824770de22711d3cd276a529b7075d9
SHA1 611a3a69fd3391e7055f5f5b378116fb3fa55546
SHA256 0bdd0708ff43d04705d0ba6934d70626bd686227bccc3113c0d7cb001feb71d8
SHA512 7ca635b7979463cc4bd08580388bad1408fcba8ffe6f6e2e41913c7b19d73138607bf48144ac16e3356d76e9891903bd40bd11536652094a07796c84737daa73

C:\Users\Admin\AppData\Local\Temp\1a71532b-f9ce-4534-8df9-4b221000b439.vbs

MD5 78fbd19b5729d075c90671a60e1b6eeb
SHA1 18e029ec56886688e1be129b233e857f79a6ee68
SHA256 1f13fb1bd7e97e28aeaad93fe0616b3a0813496380b6b822e47e591845f605c9
SHA512 2c915e2d2317cbe0ea5cb3e2bdff62ec7c5f1e43fe5fd769357e889bcbb369fea6cc83063f1f84918b8ba6544adefde1fffbb2e08c0c28233103fa6da5f96948

C:\Users\Admin\AppData\Local\Temp\ea6cf745-b8c8-4d51-a3e3-9214842eddd2.vbs

MD5 2883e00831d45118ca620a379489dd7d
SHA1 99ce5af3de445e1a9b3bc4911194eaa653229656
SHA256 229fbe0b441398d981423459c6360bd1c4b6df83c086b6d9893b87cd2e468443
SHA512 5aaa7b3742f11bfb34aedb3eb5d5b4bcc8448f20a00150acf80a8ddd666949c15531e8898890ec1e79fee9292d7d7ef65dd5a75cc7b51d06ce58dcbe4c572e06

memory/5192-462-0x000000001B7D0000-0x000000001B826000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7f6e3723-c975-4187-af4e-1a03587fbbac.vbs

MD5 d0c0ec367f9ea3220f47041faab49a7b
SHA1 0576a36c60545e5d4939023ecde7714c9c08a759
SHA256 5742d4d41d63ddfcbffa9ee8de6e8ffc12bae4b11b3ab662a8663c9f93f43081
SHA512 1d624ee24ce5ea658ba681b0263a273f064b47f73c9b8d72dec9c8f7a66a2230ee56b18e11ed733756ffd3e01374178cf307fc9e6bc7cdbbb282b4c7a6016b60

memory/5192-473-0x000000001C340000-0x000000001C442000-memory.dmp

memory/2556-475-0x000000001B920000-0x000000001B976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\789b5567-4d03-457b-b34a-a8a336cdac71.vbs

MD5 36ba2b23fcd9b4b86fe5d58d50d47841
SHA1 85c9359fecf30d68ec3f9ce30f8a0f612f032fa2
SHA256 927b8e4b15a8ff8e1824e01b16a28be07ba1e336ca3c75d6bc7c0327b32c178d
SHA512 cd0122c1155034888415f2342e6b95ee5bb41ac35bc6eb4ee547ebc0ce86720c2b21d51fd277d99ce36bd34054042a1c9b9ab5757c9314f55220dd4aa78783ed

C:\Users\Admin\AppData\Local\Temp\84102f20-aa3c-41a3-b2ce-dc2a6492decb.vbs

MD5 efa9123c0bd5e1e1498fca82ca2efa71
SHA1 d2b1fe555229875cb64aae262b5d982f8d6782e9
SHA256 faa8dffc57f246ed7c5d0950e52f45723493e97667f6c51b683116e4666e1acd
SHA512 ebe9b6d5e0f09be23b9dd4eb750b57225efe2f0cf9a7044c3880792abdd677d036a189eb0487a3ac8d2d9f147b3f03646ceb3b667649f797dae2262283ee8e01

C:\Users\Admin\AppData\Local\Temp\7b892d72-d363-434a-96a9-40e0fdcb016d.vbs

MD5 c00b210c16ef39da9d6c1cc1abec1cb5
SHA1 37769fd6e528370a830b361beb05dcf32f268670
SHA256 e1c254d8c77d6d2c14df56f4aa9354671274c0493b397365e7ec797307f0699e
SHA512 037b884866c9045aa72d11f4b5e81854842846f362b884783d32a9ad42f03d27d0c9429c8ef853cbe72bbc6de451ec6c1e0636aee63be81b7850fc4aa34ed7e2

C:\Users\Admin\AppData\Local\Temp\6c51f102-bb6e-4a60-83e7-282963469afb.vbs

MD5 7ff81542723378585958d10475087f80
SHA1 d8d8487f890d6ee0dc0e825778a70df024541f24
SHA256 116b714492325414fec24baea81d4ea75dc1943f02f3062944086cb19c2fdece
SHA512 e97122b8350f9543b0b92a1abb0303cd65ae65cf8fac285fca804ba73f8ecaa15b6aeaaf95cefc4f51f5c744bc881975a96a194e413fdaf4be08648970db2a6c

memory/5788-519-0x000000001CF10000-0x000000001D012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8e9d9a49-1964-40e0-a87c-956dab7af13d.vbs

MD5 fc0a5ef0e9d30b74883bb204eef97d84
SHA1 885e223a9dfacd2855ba225be5c400e0106b933d
SHA256 8bd2f59616ab514bd7af390ca12f090cac97cf00ae94b3cccc989bf40d8175d0
SHA512 3f032658c12bb016bff845848db6c28a0eec6587d170a06f9b85b30bb932a68aa10630366ba9bb7bb28e3cfe7884d282188aefc394a480225c998c132a4e3537

memory/4836-531-0x000000001C280000-0x000000001C382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e509c3c8-ea34-49f8-810e-9046cb579038.vbs

MD5 b86b2f018fc23c0b0e8aebae21cbdb02
SHA1 e30958f057d6a442413dd3656d4b88cd35677cf8
SHA256 e58da27436a4fbedf817cacd8ce52ca392036119713964dfbceae4d720d108e0
SHA512 36680c5f8ef7ada4235a27cc3e7f82262a2aef5a7fdb006ce0c149dc4bf8288920ddeee16f40181d31216b2cd99dbceaaa423c348561f68161e78dd6c2622396

C:\Users\Admin\AppData\Local\Temp\6bd621da-46e5-412f-b7e4-c55f0f04d253.vbs

MD5 767a7a77da6392be81ab7aceb4f9397f
SHA1 77842c4216babc9f63f18b2947bf2f8cb85cf178
SHA256 cdb65d15b590199349759fd9b392b959ce77c188a34f71a44aaab33aa69da5da
SHA512 c275a770273e5f1b8342315d08d02e222b0f6224dd4864a0ab5458631a06ff22de36d4168d99281560ec1c66d1a7478fd423eacced41df38e79078494cd27a8c

C:\Users\Admin\AppData\Local\Temp\dba74704-55f4-48c4-b364-deafda8e0859.vbs

MD5 18cfcb42776f8791b42e6eac73ebd112
SHA1 9be59a1f40696f49beac0e507b55c514f1b67c3d
SHA256 5d3186519abc58a149cc5404092f8146339791da22723f8d3a1d01411a0448c7
SHA512 b949ce8c71ef6b6075acf61471ad37593a6f7a1de72b04443e4a84a452b5c59b9bc00de92c89eece4d3173a89e6c90b9c59072a60b4780695affebbbcb41d04d

memory/4040-565-0x000000001B7A0000-0x000000001B7B2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 18:49

Reported

2024-05-13 18:51

Platform

win7-20240508-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX31A3.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\winlogon.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Defender\it-IT\RCX23A2.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\lsm.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\RCX2EB3.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\RCX2F21.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\winlogon.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX3134.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\lsm.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Defender\it-IT\RCX23A1.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Defender\it-IT\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\RCX25B6.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\RCX2624.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Defender\it-IT\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\101b941d020240 C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Defender\it-IT\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\RCX2C9E.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\RCX2C9F.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\a946e4dc0a56f2 C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File created C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\101b941d020240 C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\RCX2A2C.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\RCX2A2D.tmp C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 536 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 536 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 536 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 536 wrote to memory of 292 N/A C:\Windows\System32\cmd.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
PID 536 wrote to memory of 292 N/A C:\Windows\System32\cmd.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
PID 536 wrote to memory of 292 N/A C:\Windows\System32\cmd.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
PID 292 wrote to memory of 2596 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 292 wrote to memory of 2596 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 292 wrote to memory of 2596 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 292 wrote to memory of 1576 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 292 wrote to memory of 1576 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 292 wrote to memory of 1576 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 1652 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
PID 2596 wrote to memory of 1652 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
PID 2596 wrote to memory of 1652 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
PID 1652 wrote to memory of 2132 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 2132 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 2132 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 2976 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 2976 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 2976 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe
PID 2132 wrote to memory of 1296 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
PID 2132 wrote to memory of 1296 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
PID 2132 wrote to memory of 1296 N/A C:\Windows\System32\WScript.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe
PID 1296 wrote to memory of 624 N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Network Sharing\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics" /sc ONLOGON /tr "'C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WemxlMlzgx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11bd8d8e-5f79-49ad-9a25-3074162a2abf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ecb2cc2-cb81-47ef-83bf-c14eecd62923.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfda475f-2f34-4728-a1d6-2d92b6bc2c2b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b37a851-7dff-4ee2-b97a-2c9cecaae4d6.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0418a95-c32e-46f8-97bf-798fdf835b7d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aa0e89d-56e1-4b72-a662-04199387ea97.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df84f95f-ec81-487a-b75b-d4aca1324777.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f2bfd6-feb7-498d-8f91-14befed056b4.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59d5f118-5d7b-43e3-a13b-6ac94899590a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac2c65eb-b9d2-4050-b202-06475ddd8edb.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a64e887-0dd6-46b0-b021-25d984d2b0e3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8185cbae-530e-4313-9dac-c2dd5cb84acc.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52909b4a-e230-4366-8221-a79f0145ee77.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f55d8b27-1e83-4965-afae-959964428edb.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3a1c5c7-9e11-4be1-9136-ac42a59bfc5e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14e8519e-9755-47f7-934f-438909566f85.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5eae11ce-2f49-4c9a-9e5f-e6e0b98509c4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a4e855f-3ca1-40c1-b612-5afdd744f45c.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c8fe3fa-cc26-47f2-9912-795cb7d005e0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f71d630-4cf3-4b42-a801-d995437f1824.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\636ddb08-054b-43cc-825e-c4c27dc20f4c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d661e586-38cc-4004-8e1a-50317f4d462e.vbs"

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f44a2b8-d14b-4570-a8d1-94be2589060a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72c32c4d-a8ce-4c04-8ce9-e2500e150198.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.74:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.17:80 self-lighting-subpr.000webhostapp.com tcp

Files

memory/2424-0-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

memory/2424-1-0x0000000000C80000-0x0000000000FBC000-memory.dmp

memory/2424-2-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

memory/2424-3-0x00000000002D0000-0x00000000002DE000-memory.dmp

memory/2424-4-0x00000000002E0000-0x00000000002EE000-memory.dmp

memory/2424-5-0x00000000002F0000-0x00000000002F8000-memory.dmp

memory/2424-6-0x0000000000300000-0x000000000031C000-memory.dmp

memory/2424-7-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/2424-8-0x00000000004B0000-0x00000000004C0000-memory.dmp

memory/2424-9-0x0000000000A60000-0x0000000000A76000-memory.dmp

memory/2424-10-0x0000000000A80000-0x0000000000A88000-memory.dmp

memory/2424-11-0x0000000000C30000-0x0000000000C40000-memory.dmp

memory/2424-12-0x0000000000A90000-0x0000000000A9A000-memory.dmp

memory/2424-13-0x00000000023C0000-0x0000000002416000-memory.dmp

memory/2424-14-0x0000000000C40000-0x0000000000C4C000-memory.dmp

memory/2424-15-0x0000000000C50000-0x0000000000C58000-memory.dmp

memory/2424-16-0x0000000000C60000-0x0000000000C6C000-memory.dmp

memory/2424-17-0x0000000000C70000-0x0000000000C78000-memory.dmp

memory/2424-18-0x0000000002510000-0x0000000002522000-memory.dmp

memory/2424-19-0x0000000002540000-0x000000000254C000-memory.dmp

memory/2424-20-0x0000000002550000-0x000000000255C000-memory.dmp

memory/2424-21-0x0000000002560000-0x000000000256C000-memory.dmp

memory/2424-22-0x0000000002570000-0x000000000257C000-memory.dmp

memory/2424-23-0x000000001A990000-0x000000001A998000-memory.dmp

memory/2424-24-0x000000001A980000-0x000000001A98A000-memory.dmp

memory/2424-25-0x000000001A9A0000-0x000000001A9AE000-memory.dmp

memory/2424-26-0x000000001A9B0000-0x000000001A9B8000-memory.dmp

memory/2424-27-0x000000001A9C0000-0x000000001A9CE000-memory.dmp

memory/2424-28-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

memory/2424-29-0x000000001A9E0000-0x000000001A9E8000-memory.dmp

memory/2424-30-0x000000001A9F0000-0x000000001A9FA000-memory.dmp

memory/2424-32-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

memory/2424-31-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

C:\Program Files\Windows Defender\it-IT\spoolsv.exe

MD5 00195dc23ea8cc5cb728c411f684ff40
SHA1 604a8ca144781805d4ea73de01caee8ba98c176d
SHA256 5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1
SHA512 218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd

C:\Program Files\Windows Media Player\Network Sharing\lsm.exe

MD5 b0076192bcb41d8a6117c48d4e982b3f
SHA1 6fb1a64f3b12bffd6c2d789d2685a2c0d46e49e1
SHA256 e1d7189ccc2ef3a8f33ddcfb089dc6f48e5b4a0cab12f948fc223969f836ff57
SHA512 c172b3d0c21ff3b043d8a7fad074be4af6e21a39a2de72769a0d321b751b6d164fbd29776d6dd1611c40436b6a1d57b536c4a65c08bf24d4fb10b9969b056ec0

C:\Program Files\Internet Explorer\winlogon.exe

MD5 bd0088e3beae02e5de4fd944bbe608fc
SHA1 c64b3c35bf65af6f1560f27664956fe3d5a60e3b
SHA256 c17ca9ea18dc949bab1d312c05646c3492ebf5d662a1d19f94dd715735ae60bb
SHA512 17f368c88f126321fbbcc26c587093b2cd86f5f23711fb907ba99f5e53fec46e630226ab1cfba4c84ed639265dd03a880dd1c6726ace93c68cc0a89679624e81

C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe

MD5 a78375666ec40adbc66c67d9c35b2e45
SHA1 0663cf4acc5a1fe3e47749b82aa4b5ce9d73a143
SHA256 c31d86e19a9d250e11bd588a7151ecf3cdf48deeacb71d443903046534c85d44
SHA512 c30a7558a0bae0ff7f125f274dd4febd48fddbac54efa32e891c70fff9c9d3b99715fb11e379e5e2e3c6f6d589bc3296f52cdc6588d13e107ccd2f59867b1e58

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\services.exe

MD5 d618d1f6ed1e1b283005b5c51c2568eb
SHA1 8198c993bc5f28bc9121eef5324d3fe3e1f91c5c
SHA256 388f6b5d5569066dd299b9c997191fffe4665ccfeb1ac1f92ee58b224fa940a4
SHA512 9adba9ee8e34f5666a613ac334146a283205fe99c0db445b4909554b1e71f5e43ebd9b4894d6110612e96dd4c060275cfd4bc6eca38c09d51e64fb8f29d8c650

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 28c5be1c4d9e189e1f54cf9d53daa053
SHA1 342793848d4e46cbb4127b3e14933b29bbbd4a98
SHA256 1fb6e08145b04972f76c3e1f3705e836df8a59125ee60be722018b50abedab9c
SHA512 135287653d9dd962f63a77a5aef111a6e5b728f3d78386438a24a1ace920685bbaf751d1ec0750bdd6ade9e430383536daafe4be3ae31b626efaf9d78f789613

memory/1712-230-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

memory/2424-231-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

memory/1712-229-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WemxlMlzgx.bat

MD5 5e39bb4f80e55ed72157f36eef423dca
SHA1 452c3fa3defc6b64f9d71aa25c8bac63615f2486
SHA256 124259e94e948f91a0c7edf1f22b0376d2f5037ac27f93e0622131419827638a
SHA512 0bf37b543f16ea28aaff86d805f16ea4e1d0ced5293003ea97202b7727bab5b3d9fb699da68cbf5b47907c1f05a6c5f66c91a90397c23917a141066a8878b897

memory/292-270-0x0000000000300000-0x000000000063C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11bd8d8e-5f79-49ad-9a25-3074162a2abf.vbs

MD5 eece65c143574b47c3eaa073f2ad9577
SHA1 35f32fbc2e0bb8912f9e90c41a8b76b4dd63eeb0
SHA256 d267d59025c79ecd45ed4680972b106f82ecfa28085445b82ce7773a14bffd03
SHA512 170318f8db866ead02dd8c147ff2b341beffd6ddd6aef8b755ffd7b28c9b8c5c074042bae9280f462aa6bd0ef54498a25ce180f7410e92e23382688f8905704a

C:\Users\Admin\AppData\Local\Temp\5ecb2cc2-cb81-47ef-83bf-c14eecd62923.vbs

MD5 484a201a237c064e81412e90ad9a06b2
SHA1 9434ca0fc12641a863b4bdd4d173406b036ea10a
SHA256 f97e6d738556d7039104d4359d8d9460d5bfb0975cb82e26132ff01794f217cf
SHA512 b96358f09400645a97294424b2de6932ea9c9a0cf4bae0dcdca646ea8ae23b9bfced0add122c98f05131ed9b1fd5fe79c0abc42371593110dcbdb691db56a453

memory/1652-281-0x0000000000ED0000-0x000000000120C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bfda475f-2f34-4728-a1d6-2d92b6bc2c2b.vbs

MD5 b7697ef6a3698cd2d26050e0bcd4c783
SHA1 57f05388c1f0659c54c2c823b5224f6e7d3f3ae3
SHA256 fd24419e478a282242d820e483520baa53e198285f9a5830647a2cff9c7657f3
SHA512 c10ee3914cc27364999bc0cfb713c6e77bd1e9570e8ea6abc4e8f85022d3cafcf67e0ed50c112cc0930c3dacddf1dad8876f5dbbc12f66ba0416e170e669b30b

memory/1296-293-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0418a95-c32e-46f8-97bf-798fdf835b7d.vbs

MD5 e16751969adceb1ca615ac4a9ebb556b
SHA1 f567386f0a7c48c0cdbf75adcc89d177654336da
SHA256 7176367ff522d5ee4484669647b71e6398465f8144102dda4e2bd8e168df31f6
SHA512 bd5fc196a82067625cc3d3f8569af9e5c7a3a0bfae5456a7e133ba593b1425a8f4ac5e001baf8db68d074860da0bb684f5d90199883f05388019523eb01201b9

C:\Users\Admin\AppData\Local\Temp\df84f95f-ec81-487a-b75b-d4aca1324777.vbs

MD5 5751c4a742e68539ace8dfb5f4469494
SHA1 84584ec4ad06a8f098740fdfc9074bd6f261aa52
SHA256 291a342c1f10173ee2d8e3509b79252a74c253cda81ada1cd8c985b4f9380e4a
SHA512 513ae981cc6dfb60fdd493a45974931a9080078ef8943841d82fd9830e39cab124d835d579c27a4af63d8731fdf183a145466d23c64fcee1335a81ecbcf86660

C:\Users\Admin\AppData\Local\Temp\59d5f118-5d7b-43e3-a13b-6ac94899590a.vbs

MD5 9480d92c1afb035726d91e72388757eb
SHA1 03be624de37f9fcbddccac198afdfa10cbf66e8e
SHA256 3edb3c9a165e694953d3e18bdeb5fb351fd38040b207bf88e0b8258e77604ee1
SHA512 47fd79e4377068ec626e63107cc91bca212efdba41a0fd69d81105eb3025745e17ca8e4d5053fe91f17f79da21d306023661fac5a98442e35664bf16da65c884

memory/2412-327-0x00000000001D0000-0x000000000050C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4a64e887-0dd6-46b0-b021-25d984d2b0e3.vbs

MD5 3e4fdc5725796ba0ca79507fb0d1caac
SHA1 187b6e95d4ed41e5237e4490cf9f9ab6c4a4d65b
SHA256 1d7e86f347f5110918a6cd33a378bd008cd64fda2a0fd185fa2a032dc02b507b
SHA512 407b75a720492c061c8694c2379bedf7bcbcb46b77f9643ebcb88d8008f9e9b233d0dafea77e0c26b276d2f54dab3c58428618fd5ea9ae7d8c1813701d2f1ce1

memory/2100-339-0x0000000000E10000-0x000000000114C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\52909b4a-e230-4366-8221-a79f0145ee77.vbs

MD5 f042ad399d11e8bf55fa331ae78b1d31
SHA1 413566335910af436f9505472fe91bb63e27e75a
SHA256 9ac577544f577234fe08457fc928d2f84592be1439b296746235053324bb7ace
SHA512 355d0e7029ccc45a7b3699df6d09039090a293faccca9324108b93e7e43fd7a03751c12bf0782d12e9f3bab12961c454180cb057b497246e08519888534c1965

memory/2060-351-0x0000000000140000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d3a1c5c7-9e11-4be1-9136-ac42a59bfc5e.vbs

MD5 58774ef42c8e761d4b8b4b1a69f35a3e
SHA1 72a51ea2c61e4616be4f98da31f938f2bd01876a
SHA256 e39d1b70881c964d7843d05e9961a4073e95637f024fb2b6e6c17ed5575d3166
SHA512 9c024167e9a3368ce375d39744f48424cfe3014e89718104d2c82cd6048f496f3f356d794bb5e7a98189991dc56876c74a57ccfe474f870946148b74461e847a

memory/2688-363-0x0000000000AE0000-0x0000000000E1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5eae11ce-2f49-4c9a-9e5f-e6e0b98509c4.vbs

MD5 73871616b62dec970c57d3494d67b703
SHA1 89c9637cd2f89ac6beab8ee82782abf78a5404df
SHA256 547e00e643730c92c4576d43834447d1ecc54acdea02035a9f0fc6d22fe5db4c
SHA512 a4db5a8b98da9a07bf0dc532e0d543e50032cea124553511f9e47134ff686bc891ef361a8de0ef851478e1510446d7eebbdceddd2ee0c4a823c86e95261c57cc

memory/2488-375-0x000000001B0B0000-0x000000001B106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6c8fe3fa-cc26-47f2-9912-795cb7d005e0.vbs

MD5 c1e649ceef4d602b7a8b55739564cb28
SHA1 cff65256d15070b5bec5c5b2b9ef5bb336d5e094
SHA256 41726808d2c1fd34e49bd48b75f6fdc4a044451894ef04c9ad2c952edd4d89bf
SHA512 a18a44f24dbf0113b0266f882247f31ee3f59c818c8d693792ca7a7355ee79009f52e9fc7af68cc01e653402111e5f0491ceca76c775f472f0e6ae0bd8980c46

memory/764-387-0x0000000000B40000-0x0000000000E7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\636ddb08-054b-43cc-825e-c4c27dc20f4c.vbs

MD5 eab03728adcbd26b7fe7598ebdbfc4e5
SHA1 0e6485d957fdec273fc08336a24f682f07341c56
SHA256 013e0c23108867841ed17c5935d6fe66042482fc8323c4cfc932500f71de26e9
SHA512 cdc7b6ef945acc9ca556b470a70979aa3f25477d5623f6aa17dc145cdb9fefe7da1454653a4124b70026fdd450fc3495682d82381c593f1fa2d29ff024a74b79

memory/1936-399-0x0000000001040000-0x000000000137C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6f44a2b8-d14b-4570-a8d1-94be2589060a.vbs

MD5 808f3ccd561c0e40ad20323363759a44
SHA1 3ed766465a6d4272e485e901d1055463f9e2c335
SHA256 13afdbb99982c3d72cf2b1dd03b385a6490fbeb5c321d41b5f1294371ef51dbd
SHA512 03a7bc910d9165450924ad1e366588ff4f717673e51c706678a511b43a3e02e1213570b4bc15186dd3d0d754baeb815d4ef92176fe8d5ed393c5c6a38cbf0cc5