Malware Analysis Report

2024-11-15 05:49

Sample ID 240514-hlwxeseb7z
Target 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics
SHA256 15da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce

Threat Level: Known bad

The file 990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

Dcrat family

UAC bypass

Process spawned unexpected child process

DcRat

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

System policy modification

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 06:50

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 06:50

Reported

2024-05-14 06:52

Platform

win7-20240215-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\de-DE\RCX11CD.tmp C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\RCX13D1.tmp C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\de-DE\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Program Files\Windows Mail\de-DE\csrss.exe
PID 2220 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Program Files\Windows Mail\de-DE\csrss.exe
PID 2220 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Program Files\Windows Mail\de-DE\csrss.exe
PID 896 wrote to memory of 2456 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 896 wrote to memory of 2456 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 896 wrote to memory of 2456 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 896 wrote to memory of 2108 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 896 wrote to memory of 2108 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 896 wrote to memory of 2108 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Mail\de-DE\csrss.exe
PID 2456 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Mail\de-DE\csrss.exe
PID 2456 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Mail\de-DE\csrss.exe
PID 2828 wrote to memory of 2052 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 2052 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 2052 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 1720 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 1720 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 1720 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 2052 wrote to memory of 448 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Mail\de-DE\csrss.exe
PID 2052 wrote to memory of 448 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Mail\de-DE\csrss.exe
PID 2052 wrote to memory of 448 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Mail\de-DE\csrss.exe
PID 448 wrote to memory of 1180 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 448 wrote to memory of 1180 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 448 wrote to memory of 1180 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 448 wrote to memory of 3060 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 448 wrote to memory of 3060 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 448 wrote to memory of 3060 N/A C:\Program Files\Windows Mail\de-DE\csrss.exe C:\Windows\System32\WScript.exe
PID 1180 wrote to memory of 1860 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Mail\de-DE\csrss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Mail\de-DE\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\185407a1-ef0e-49cb-bb20-f12afe194798.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86f77dcd-f637-4fda-a349-7269bc1d1464.vbs"

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65ece361-dcc8-4f65-a168-3819c64827e4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72caf75e-cad9-4781-8c2e-d913ab3af909.vbs"

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0820b82f-a8e5-40b9-9995-cf1648b2048c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\851a19cf-dab5-4d14-b289-10fcb40586d1.vbs"

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db8388fb-6b8b-4fda-9e41-6e3429531204.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\449b550b-8a6b-4954-af14-4cff9cbf12fb.vbs"

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd99fce0-ac1b-46fd-9122-36b30a3e3fbf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2842139-e063-4a4d-a0fb-3d6d9acde562.vbs"

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77706628-256a-49f6-8c13-a93066434f0b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8b85c59-4d2e-460d-b78c-f6c272b2f1e2.vbs"

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07944de0-2386-49f3-91c3-da6a00fac3b5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d1c1e8d-cc21-41da-af0d-dd50df4c0d25.vbs"

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bef2283-08d7-4f2f-bd3c-589bdc35db91.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93a1f5eb-8af0-4260-b151-4f064e3d1a0b.vbs"

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65017ef3-98ba-4741-9dd2-eefad4c3ce61.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ff5d5e5-5242-40a8-b8e3-7cc09728c1c6.vbs"

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a26a97e-cb72-4e26-943a-07127c6e85ef.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\671c2fdd-fae3-4bf4-87e8-e28394d58414.vbs"

C:\Program Files\Windows Mail\de-DE\csrss.exe

"C:\Program Files\Windows Mail\de-DE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\524ae021-d61c-4395-8cf9-750c7515d172.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3473047-791a-4789-8d9c-f75c66375ea1.vbs"

Network

Country Destination Domain Proto
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/2220-0-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp

memory/2220-1-0x0000000001380000-0x0000000001666000-memory.dmp

memory/2220-2-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/2220-3-0x0000000000450000-0x000000000046C000-memory.dmp

memory/2220-4-0x0000000000330000-0x0000000000338000-memory.dmp

memory/2220-5-0x0000000000470000-0x0000000000480000-memory.dmp

memory/2220-6-0x0000000000480000-0x0000000000496000-memory.dmp

memory/2220-7-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/2220-8-0x00000000004F0000-0x00000000004F8000-memory.dmp

memory/2220-9-0x0000000000510000-0x0000000000520000-memory.dmp

memory/2220-10-0x0000000000500000-0x000000000050A000-memory.dmp

memory/2220-11-0x0000000000DA0000-0x0000000000DF6000-memory.dmp

memory/2220-12-0x0000000000530000-0x000000000053C000-memory.dmp

memory/2220-13-0x0000000000540000-0x0000000000548000-memory.dmp

memory/2220-14-0x0000000000550000-0x000000000055C000-memory.dmp

memory/2220-15-0x0000000000560000-0x0000000000572000-memory.dmp

memory/2220-16-0x0000000000E70000-0x0000000000E78000-memory.dmp

memory/2220-17-0x0000000000E80000-0x0000000000E88000-memory.dmp

memory/2220-18-0x0000000000E90000-0x0000000000E9A000-memory.dmp

memory/2220-19-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

memory/2220-20-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

memory/2220-21-0x0000000000EC0000-0x0000000000ECE000-memory.dmp

memory/2220-22-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

memory/2220-23-0x0000000000F60000-0x0000000000F68000-memory.dmp

memory/2220-24-0x0000000000F70000-0x0000000000F7A000-memory.dmp

memory/2220-25-0x0000000000F80000-0x0000000000F8C000-memory.dmp

C:\Program Files\Windows Mail\de-DE\csrss.exe

MD5 990d69ce8a7a58fa44a5071429041ff0
SHA1 0f2603214e0b81c26a094b7e5fe76b7fa40be4b1
SHA256 15da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce
SHA512 6197dbd8e964fcc41df771b3defc6e0e2186c93d275bbd9fcc9745298cf3d3631fbfcd21058c2257a8d80f7fe258bcd33d5dbbe23d6b66702297aeeb2edb00dc

memory/2308-61-0x000000001B540000-0x000000001B822000-memory.dmp

memory/2308-71-0x00000000029E0000-0x00000000029E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c99a21ce2b39cffcb0d6badf380f5534
SHA1 edb9f580761ea4ae8de8120e90128e7d12b69b42
SHA256 0999f3f83992f1c07efdf50f5497b60afe80e8c7cc99daef7d1951d324c76fe3
SHA512 5c107696937d089371c705669d8edb83d39c2ec1380664d313306186e08e50afb9103278734aebd6cbc2eb8122cce5be6d80aabeb8b88bae9f19ac605a4967a4

memory/2220-117-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/896-118-0x00000000008A0000-0x0000000000B86000-memory.dmp

memory/896-119-0x000000001AB10000-0x000000001AB66000-memory.dmp

memory/896-120-0x0000000002310000-0x0000000002322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86f77dcd-f637-4fda-a349-7269bc1d1464.vbs

MD5 55c80bb6c9e1e4569c12a5b003cab0f5
SHA1 173abb8e1265107471493955ab6f52d7f737fe2d
SHA256 b52e830b23dce56896a3898b05a0d86c97677f6bd6cf45c40630943ac212ffcd
SHA512 824888baaf54dbb6ceef4fd33d959f689267077a26203942d8dd55b2a6304bbff3d3ac47ff07f2c86934e08611545d45da72d8c5526fa22b37bc882c6f62a99c

C:\Users\Admin\AppData\Local\Temp\185407a1-ef0e-49cb-bb20-f12afe194798.vbs

MD5 66cf3a20220273c5e71109453542dced
SHA1 a172037c4b13682e67f219d0660b424a0c1ce3c1
SHA256 c6bc0c2a2abbbb6bb52b3847c69403697e00a1e513307204ec4fe05256960254
SHA512 18b157b70f981cf7291bd541ca9fc2d49c9270b292c13a50b68b5b403ba970f03890379f902bb176c295f56e521afece06b466db89713b864d3e2250f4aee26a

memory/2828-131-0x0000000000270000-0x0000000000556000-memory.dmp

memory/2828-132-0x0000000000910000-0x0000000000922000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65ece361-dcc8-4f65-a168-3819c64827e4.vbs

MD5 b908f0c392f825711b0b8e73d6a4fd79
SHA1 89d8808ca252661c8e97bfaf4b6ceca38bd00adb
SHA256 b2133f2c397672a8e286884931600e7262dcc35a9d20a16ab023db9fabeb4316
SHA512 98693a790d0334e81679b4b40afc703a3534aca13517a4e9e59dc5834f69949153e72506bd7885d1e740cc4471a035661969b6454e33305bca0601a7dbf95caa

memory/448-144-0x0000000000850000-0x0000000000B36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0820b82f-a8e5-40b9-9995-cf1648b2048c.vbs

MD5 b2517e499e7e45e6a0791434e68181b2
SHA1 dc19e8ff24c8e26c955934e3e29d0dd67f0ce616
SHA256 e4adfd608ba47a0b20c391eac662f093a64d36afdfa59ec6d30a30c71fef279d
SHA512 ef606e08b0568af1a55807064e274819b96a5bda2549d527689d66a0cca87457a554c62f2864df733a97d54a58bc06706a6481d39a097019b83ae43872792b5b

memory/1860-156-0x00000000003E0000-0x00000000006C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db8388fb-6b8b-4fda-9e41-6e3429531204.vbs

MD5 03f259e9b11c4ef337de944d179e2da3
SHA1 46f4d0e205ed0cf30a53709760c2a66b2d0ffe39
SHA256 c0830df31e73b261c598ac280d68b0691c3030ea36cc7ee841a3dfa32e53ace4
SHA512 0b55b020f58031436f85a4ef03e8eaf5babfbee63f59898f1890984ee0e9ffbe89f27d7be3d391c77b07cdacb20a04212cef63496606bb9102a2fad356c5c284

memory/2104-168-0x0000000001260000-0x0000000001546000-memory.dmp

memory/2104-169-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bd99fce0-ac1b-46fd-9122-36b30a3e3fbf.vbs

MD5 66d5ec05564f3c0e3861b1a1192a5c79
SHA1 baef26ef799656e6c0730a0e915bc9687fdc8071
SHA256 94c4f7e9becc90a95b648a49ff877b38323e83ebdaebb464e0cc5db8414b107d
SHA512 ab7838944ede9694a51ddf16c99b3906a3c47c9f594b1afd0097b47d0af289f596d0b6000a24391859f684dfeda14c38ffb3916050e0c85dcb77a72c0f0a31f0

memory/2492-181-0x00000000001A0000-0x0000000000486000-memory.dmp

memory/2492-182-0x0000000000810000-0x0000000000822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\77706628-256a-49f6-8c13-a93066434f0b.vbs

MD5 dbc3670b7e54318c9d139381aa50ac1a
SHA1 b72b3f3a83c151275d51c51ecd73972879bbd88e
SHA256 0ec2b4834bc5c3b05dd3035910d35cb347d64895833cff18dfb5723b33da4232
SHA512 61691ffa05de7cafee9f86d595ea131f6daaf822c1d70066204554b63da87a37ed6a183c17892b27fc3b81defde4fabe10eaa69addf46d8d08d990919e7c4eba

memory/2280-194-0x0000000000240000-0x0000000000526000-memory.dmp

memory/2280-195-0x0000000000860000-0x00000000008B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\07944de0-2386-49f3-91c3-da6a00fac3b5.vbs

MD5 b85c680e42ae7325f2970a235c35481a
SHA1 3413f4359e482a28144e02cd2485dabc18b1a4fa
SHA256 56a21c249829a2b58d8c64ad5b4a4dd4b4cbd3912cf8fbbdf6326e5602cd5dff
SHA512 28e20a50b1534fbd9f408f3851c773150a56053eb326f37dcc9996e9c0867baaad936a8a4306c66a945d190073c3de5703d5ffce7597d0e137e0c3533fe49533

memory/2924-207-0x0000000000D10000-0x0000000000FF6000-memory.dmp

memory/2924-208-0x00000000003D0000-0x0000000000426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7bef2283-08d7-4f2f-bd3c-589bdc35db91.vbs

MD5 b3fb0ac7cf772b52c32198c5707c7926
SHA1 0cfc4cfb769d892f253e7d877821198a0d9208b5
SHA256 12996765895ba0f75169050a6cfc5d3f97eee8cc2d35c2881125fe062766d0ff
SHA512 bded42fcfa8a87838458301bcb3d89bfbd5d5ffdae817049fc42ed3827e8b1ea2a44ee79a964b73efb8c9977b13f0408360b1d386f5b16802a58a54e212642de

memory/1704-220-0x0000000000250000-0x0000000000536000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65017ef3-98ba-4741-9dd2-eefad4c3ce61.vbs

MD5 476d971f89330107b7c06f23ce803ac5
SHA1 a210d1d1824aa46d4b44abc73cc46cb569f7b164
SHA256 177ddcc57607059d4b1f3d56186540baf5e1e31375c34698453e41dd971128f9
SHA512 27be343f03ac0f7df4f0c2a39aa70ea0ed2d3918641e0a7c4e08d8b919e3a71701da40c2f4e43c838fa1e00be56f982b54af863b8565b99892944b58ad79fd8a

memory/2612-232-0x00000000003B0000-0x0000000000696000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7a26a97e-cb72-4e26-943a-07127c6e85ef.vbs

MD5 43e3ed2cf8d89d8ddb9b15b566992d7b
SHA1 421ab5583ddf409a7cea009bec768af0c602ec8d
SHA256 bcf001e61d5cd73b74bf90b25816fe04665ba571cc3bec907cb0af413f51b971
SHA512 c145147bb7f47134cf0b34aa7e0a196d512a1f5884803a0380fe8bc3ee3d078be59da950f0f2d68a4788a81240b30740783bd0ca95346d64e88ec3c8c9941861

memory/2392-244-0x00000000011F0000-0x00000000014D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\524ae021-d61c-4395-8cf9-750c7515d172.vbs

MD5 7042f00ace6c18776e57d17a7c783ccf
SHA1 ccf358100ada7489ee453d2887fc37dd1ef51022
SHA256 5b161c16c1dbbb40db8eff34318e42fb17835e4775b0379a4c4bcdb060fee797
SHA512 04d8c20609910d9b190ad521ce9504193176d02de08e0afd2b5d6c36d138c4d3477b1f3965962027f8a1cb74a2e8c849279b42de0bb3f12eafcfcae2e06d7910

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 06:50

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\SppExtComObj.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\3D Objects\SppExtComObj.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX5A5C.tmp C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX5E65.tmp C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\RCX4DC3.tmp C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX64F0.tmp C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Portable Devices\4a9bcf20ca9da3 C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ja-JP\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File created C:\Windows\ja-JP\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ja-JP\RCX606A.tmp C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ja-JP\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\3D Objects\SppExtComObj.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\SppExtComObj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 2020 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 1056 wrote to memory of 824 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1056 wrote to memory of 824 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1056 wrote to memory of 3928 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1056 wrote to memory of 3928 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 824 wrote to memory of 1452 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 824 wrote to memory of 1452 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 1452 wrote to memory of 772 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1452 wrote to memory of 772 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1452 wrote to memory of 1760 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1452 wrote to memory of 1760 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 772 wrote to memory of 1356 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 772 wrote to memory of 1356 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 1356 wrote to memory of 4192 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1356 wrote to memory of 4192 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1356 wrote to memory of 716 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1356 wrote to memory of 716 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4192 wrote to memory of 2844 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 4192 wrote to memory of 2844 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 2844 wrote to memory of 4968 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 4968 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 3980 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 3980 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4968 wrote to memory of 3800 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 4968 wrote to memory of 3800 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 3800 wrote to memory of 4760 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3800 wrote to memory of 4760 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3800 wrote to memory of 1648 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3800 wrote to memory of 1648 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4760 wrote to memory of 3240 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 4760 wrote to memory of 3240 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 3240 wrote to memory of 4908 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3240 wrote to memory of 4908 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3240 wrote to memory of 544 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3240 wrote to memory of 544 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4908 wrote to memory of 3772 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 4908 wrote to memory of 3772 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\SppExtComObj.exe
PID 3772 wrote to memory of 3548 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3772 wrote to memory of 3548 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3772 wrote to memory of 4088 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3772 wrote to memory of 4088 N/A C:\Users\Admin\3D Objects\SppExtComObj.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\3D Objects\SppExtComObj.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\Ole DB\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\3D Objects\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\3D Objects\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\ja-JP\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics9" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics9" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\580e6d49-501c-483a-869b-dac2c20f6530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72411b9a-1b64-411e-b136-f1c8f2904253.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efe6c4d6-13d3-4e30-bb46-2d5923511c87.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f4d8413-d2c1-49d0-84b6-d12268af822a.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f42521d-d304-4ca0-9e07-96b98e367b7a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bc53753-9262-40c8-b44d-4ce12fa3ff01.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2403ed1-88d0-4def-94ee-e65b0f5438fe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53a9ee48-457d-46d3-9dfc-0b6b42d9c706.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69dcb746-bdfd-4d55-ac14-97726c13fc77.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d4fdff9-780a-4e02-ba1e-9c47a6dbd49e.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16372a9e-090c-4b0f-832b-b6453d83b460.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ae344fa-3040-415e-afad-f49448d84ed3.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\922bd387-fa3d-433a-a1b0-558a256367bf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eedc1119-48bc-4ddd-8011-6398a5cd4d1b.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d97244f6-647f-4dcc-a433-4fdc7b4809ba.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fb5868a-cc92-4405-b2de-4beb5cb645d7.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feec2a2a-2a22-444b-b4d5-9b3ac93ccaad.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf6aa1e6-bb90-464b-9539-7e9cb709b362.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eefc39f-8364-43e6-b95b-0d7a62a6b78b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56b5a343-2940-468d-933d-cc46adec1221.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b698445b-2e7d-46be-898b-796a0cecbce0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5e3fb83-6ccf-40c6-931c-977c41da27e1.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee3971d7-f84a-4037-9f97-58605f3f601c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\781357dd-8bdd-4b6c-8499-226a598bc7e4.vbs"

C:\Users\Admin\3D Objects\SppExtComObj.exe

"C:\Users\Admin\3D Objects\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a6f3239-54ca-47b9-a8f6-b302f98eff25.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d3da84c-652c-4ac1-bf84-5888f73f1a66.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 247.68.154.149.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 200.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

memory/2020-0-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

memory/2020-1-0x0000000000360000-0x0000000000646000-memory.dmp

memory/2020-2-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/2020-3-0x000000001B250000-0x000000001B26C000-memory.dmp

memory/2020-6-0x000000001B270000-0x000000001B280000-memory.dmp

memory/2020-8-0x000000001B2A0000-0x000000001B2A8000-memory.dmp

memory/2020-9-0x000000001B2B0000-0x000000001B2B8000-memory.dmp

memory/2020-10-0x000000001B420000-0x000000001B430000-memory.dmp

memory/2020-7-0x000000001B280000-0x000000001B296000-memory.dmp

memory/2020-5-0x0000000002A70000-0x0000000002A78000-memory.dmp

memory/2020-4-0x000000001B2C0000-0x000000001B310000-memory.dmp

memory/2020-11-0x000000001B430000-0x000000001B43A000-memory.dmp

memory/2020-12-0x000000001B440000-0x000000001B496000-memory.dmp

memory/2020-13-0x000000001B490000-0x000000001B49C000-memory.dmp

memory/2020-14-0x000000001B4A0000-0x000000001B4A8000-memory.dmp

memory/2020-15-0x000000001B4B0000-0x000000001B4BC000-memory.dmp

memory/2020-16-0x000000001B4C0000-0x000000001B4D2000-memory.dmp

memory/2020-17-0x000000001C040000-0x000000001C568000-memory.dmp

memory/2020-18-0x000000001B4F0000-0x000000001B4F8000-memory.dmp

memory/2020-19-0x000000001BB10000-0x000000001BB18000-memory.dmp

memory/2020-21-0x000000001BB30000-0x000000001BB3E000-memory.dmp

memory/2020-20-0x000000001BB20000-0x000000001BB2A000-memory.dmp

memory/2020-22-0x000000001BB40000-0x000000001BB48000-memory.dmp

memory/2020-23-0x000000001BB50000-0x000000001BB5E000-memory.dmp

memory/2020-24-0x000000001BB60000-0x000000001BB6C000-memory.dmp

memory/2020-27-0x000000001BB90000-0x000000001BB9C000-memory.dmp

memory/2020-26-0x000000001BB80000-0x000000001BB8A000-memory.dmp

memory/2020-25-0x000000001BB70000-0x000000001BB78000-memory.dmp

C:\Users\Public\AccountPictures\upfc.exe

MD5 990d69ce8a7a58fa44a5071429041ff0
SHA1 0f2603214e0b81c26a094b7e5fe76b7fa40be4b1
SHA256 15da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce
SHA512 6197dbd8e964fcc41df771b3defc6e0e2186c93d275bbd9fcc9745298cf3d3631fbfcd21058c2257a8d80f7fe258bcd33d5dbbe23d6b66702297aeeb2edb00dc

memory/2572-190-0x00000252AF700000-0x00000252AF722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y51vbf0s.01m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2020-296-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c57d4745a160caa21b0ddaadf7a3f4d
SHA1 6e2d72fb79cf6dce1aacb775feb70bb012c584c9
SHA256 568f9b885549846f2d1d25aa561398ab12f8b50b03a90de95c99b13a68cf097a
SHA512 5dc3ca754c7df9b758aa50a3a4cecad7d2af824f75e0816e9af2c5a779e7b5c6d3a43f17f1b2169c303f5fab8584d211466ee4bf84b7052d2e1baeb957987d3f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Temp\72411b9a-1b64-411e-b136-f1c8f2904253.vbs

MD5 a5de92cbd714590d45b4f55287bfa881
SHA1 a97c28f3fb2efbb18acae5cad5bc2e648ce73a5d
SHA256 db5957c7d45d46bc8d23e5f9909034e2ee593cc49deb67e7d11c6681144b0466
SHA512 db3d0a7b02e065dc5d74d5d6af3f0d94e1d5211efc442b35936b32e3f18b23217bf9c673290069f378c23f96a190446e2fc3879965c6ffa34fc991ab57d7b934

C:\Users\Admin\AppData\Local\Temp\580e6d49-501c-483a-869b-dac2c20f6530.vbs

MD5 c6dcf7c999646ea90eacbb390f583e10
SHA1 c5090848bfb0aa5749083855fd583c368a95460a
SHA256 3b95cbb846ed51d309c1a27888a45f23f8404995727a8c9b033e51d5a567bbe7
SHA512 0be59f57e3f68e565621fb31985837318f68facd719bcd55a24a4ec3fc8635a04daae6b142bb3a1f117b8d519488b763aefd2e0faf67ed1c76027776dd7167c9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/1452-332-0x000000001B340000-0x000000001B352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\efe6c4d6-13d3-4e30-bb46-2d5923511c87.vbs

MD5 2ce1b2ed44fd64355f48656b60b3fca9
SHA1 a790b5038ce9d289f37356819fad5765acdeb9db
SHA256 d409324b7b093d461b6549fe661317a5c50ff7492961a48949ec26365ab96d73
SHA512 4cf00eb02f774949bc135e4e246eddc863e323a8c0b48c509f3ba620639a3a6fe02b5408269a027c946f039c6d3b7b738aead4720217936d6a1e96a3f39bc6eb

C:\Users\Admin\AppData\Local\Temp\0f42521d-d304-4ca0-9e07-96b98e367b7a.vbs

MD5 e520781a2f5cf5037a50d8e54101b3be
SHA1 0e97edf01a45b093bb18eb803d4cdffdf3e74d2d
SHA256 3ed1280e67dd66cb4f1093229f5d24aceb2172f1abc36e1ce9d4550c0e99c625
SHA512 30bd8ec98470b81bc8023aa80852c319fc7cc97a752159fa3db8251e73459e4bddd0308b16da236e3e01ba37177fb9c1c7eed118c7e93bc9677e7f611f26b435

memory/2844-355-0x000000001BDC0000-0x000000001BDD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c2403ed1-88d0-4def-94ee-e65b0f5438fe.vbs

MD5 91de3dfec418c70ae39d6507c9b2ceba
SHA1 3b52328a9682b572dd1e0d137e33e2fc0689b1b0
SHA256 48e382747b2e1dc7a9fa4e72010c718827d10532181d156e296628857e58f222
SHA512 d8709e031aa0d0a93ca408878c0095a3ce1de817014f8cc518fb4f974b7ba3f07099f5a6c74921231539e014f79a077b076e24446eb0a93ed30eebe184f73dac

C:\Users\Admin\AppData\Local\Temp\69dcb746-bdfd-4d55-ac14-97726c13fc77.vbs

MD5 013faa0bf813df9fb49178363827f92e
SHA1 5fe6b5ff14ca8e3e62a6e94d79f10501cf9de1c5
SHA256 d1bed1a1d9af430d1fc3d065d5d1a4b269f23bad1899bbf82ae69610e1737f9a
SHA512 02e6cb8bc8f1674105c3a8a08ca3bfca8cb24af3d62732de4a272bf63a720c4ba8cab04c3e1d72aeffaa6ea50bfdb77a475d96d9a97bb5f92926670f12b6eeda

C:\Users\Admin\AppData\Local\Temp\16372a9e-090c-4b0f-832b-b6453d83b460.vbs

MD5 83bd100515a66a2b99a1bfcb0fbb6dc7
SHA1 d719d105d95f35ebd9bf9fad2e876e6ec5aff719
SHA256 98179becacdfb9b03928e7c3ea8b84f7aa9f8fd3d523f82de5c514a44c4b9085
SHA512 9c78f77d28450900e127f5a85793e4761679b6eb408de4c880ad8a32540fcbfd171c5a837f8eb89d64a0c087aef50d6c855f8d71d6d3028930287c8f09f336f3

memory/3772-389-0x000000001B570000-0x000000001B582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\922bd387-fa3d-433a-a1b0-558a256367bf.vbs

MD5 5abb59989560c2fea91f18d7838068fe
SHA1 5cd1533fc6dd57551dda3537c22ffd815abd3339
SHA256 220e2962ecf7ce53a8851eacb7dd65d2c711e0237abc23ba28b0ddc728a3caa6
SHA512 65fcfc7fe30ad2916a76ed595e4edbbac65d49d7811505ea0af6014c005c7fb74925418b20e34bff12a0dbdae0e0f3833a44c2c20ef3e7c31c16508c314c9785

C:\Users\Admin\AppData\Local\Temp\d97244f6-647f-4dcc-a433-4fdc7b4809ba.vbs

MD5 2b6901c2dfeeb0ac8fef18794968e1bd
SHA1 babff4bc382a1fdb544770d6218272fd383eb33b
SHA256 9705dd0b9cf8fbb392bee8bc26cf1a9cd197f65b389d347efdbf6ba24a279859
SHA512 230e6c21ea31d0bca2e1a7b7274c86a381a34fba41a5dcbdc48d1f53e91aff3f6e6785bdde72ba4e4c0195c0480228f5d37f28b77c6872e6feddf103d60117fe

memory/736-412-0x000000001B6B0000-0x000000001B706000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\feec2a2a-2a22-444b-b4d5-9b3ac93ccaad.vbs

MD5 5076cc7c56f86fb6f4d7f84130ffdfd1
SHA1 ef5db15598b91f65a2f5366acff769bed881bad5
SHA256 fc1afd9b06788cbc931e5c1645693f2ee06a13290321fe984ef25c8bc8ed6877
SHA512 f180bb1e7f70f9e04b8b1002b632a250ddb5a610183df81b9c47abbb759808c5d47251ad1cad37ebddcfdd96a89c5b5788428b4fdf04d97b1a52027deb52283c

C:\Users\Admin\AppData\Local\Temp\3eefc39f-8364-43e6-b95b-0d7a62a6b78b.vbs

MD5 6519a5e433b15da4a848c335414c7942
SHA1 978bc03f58bc0e91b6f9a179fa6d6f842f250bfa
SHA256 f30342841f5b56f9bec172ea4f77a5221a52ccbb919a233f2406a690a9228d85
SHA512 345f2bb72de0262a4b31a8c070ade3381d29f32ff0d27071d3de1bf859faf0fe055841f1a4426f6322909971550a87c106ec42a06c71bbe97f9de1960296a9be

C:\Users\Admin\AppData\Local\Temp\b698445b-2e7d-46be-898b-796a0cecbce0.vbs

MD5 f5e58d8e80dee00d174276ec00375efa
SHA1 b217de7063451b9a46b494c646ec1fddac32eb6a
SHA256 d16e1670aa57c22be8d056eda3e62319e7672f821bdaca8f73fdbfe5302eacc8
SHA512 5cfa3404dd974e18159d26776ff3f42f4d05be90a42f5ddad7fd35f3e6033460d214a43b952b0ee85a9f0471f9796f81e26c3883a1f84e48dddcdfc94438a9d4

C:\Users\Admin\AppData\Local\Temp\ee3971d7-f84a-4037-9f97-58605f3f601c.vbs

MD5 f5bc2ca43dd4e556b28d96c73574987c
SHA1 16634219c4311932c4f464fd1604ab8713d75856
SHA256 fec3bb781902107ad1d22bb73051b04431c666945f49998097174c8e4f157222
SHA512 4ad71e8c9805aa9332df6347ec3b7b50e0613be9227e56eab83591c5c3a2a102bfa6e9334568efe7adf52499a351abb57091792a16cd177a8dc26f981d3f380a

C:\Users\Admin\AppData\Local\Temp\1a6f3239-54ca-47b9-a8f6-b302f98eff25.vbs

MD5 7201d8417f6d1871021949fc594ab97d
SHA1 2f087ecaba329d22b64c5f942a92713e81491800
SHA256 8fcbf6c7f8d6b17eb1c6726cf204b0361b5598ebcbd43f7d3a50b3ee3a65ae0f
SHA512 6b1e606e0ba6f9c35a7fe393cfeb6174619603b0ec35d87b91405b528dafc5b6029b3f8e3e904ddbca2768e15065ccac7a4d18a5f50798bc9df66ddba8a4608b