Malware Analysis Report

2024-11-15 05:49

Sample ID 240514-xv275acd35
Target 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics
SHA256 56eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7

Threat Level: Known bad

The file 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

Dcrat family

DcRat

UAC bypass

DCRat payload

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 19:11

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 19:11

Reported

2024-05-14 19:13

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Program Files\7-Zip\Lang\Registry.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\Lang\Registry.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\Lang\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCX4B48.tmp C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX4D4D.tmp C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files\ModifiableWindowsApps\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\Registry.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\debug\RCX40B4.tmp C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Help\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\debug\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\debug\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\de-DE\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\de-DE\aa97147c4c782d C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\debug\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Help\RCX42B9.tmp C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\de-DE\RCX452B.tmp C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\de-DE\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\Help\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\Help\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files\7-Zip\Lang\Registry.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\Registry.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3932 wrote to memory of 5744 N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 3932 wrote to memory of 5744 N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 5744 wrote to memory of 1448 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5744 wrote to memory of 1448 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5744 wrote to memory of 3240 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5744 wrote to memory of 3240 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 1448 wrote to memory of 1048 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 1448 wrote to memory of 1048 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 1048 wrote to memory of 2940 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 1048 wrote to memory of 2940 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 3004 wrote to memory of 3804 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 3004 wrote to memory of 3804 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 3804 wrote to memory of 4568 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 3804 wrote to memory of 4568 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 3804 wrote to memory of 5612 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 3804 wrote to memory of 5612 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4568 wrote to memory of 5740 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 4568 wrote to memory of 5740 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 5740 wrote to memory of 768 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5740 wrote to memory of 768 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5740 wrote to memory of 5132 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5740 wrote to memory of 5132 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 768 wrote to memory of 4916 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 768 wrote to memory of 4916 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 4916 wrote to memory of 5248 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4916 wrote to memory of 5248 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4916 wrote to memory of 4336 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4916 wrote to memory of 4336 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5248 wrote to memory of 5016 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 5248 wrote to memory of 5016 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 5016 wrote to memory of 1064 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5016 wrote to memory of 1064 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5016 wrote to memory of 1424 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5016 wrote to memory of 1424 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 1064 wrote to memory of 2236 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 1064 wrote to memory of 2236 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 2236 wrote to memory of 5420 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 5420 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 4380 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 2236 wrote to memory of 4380 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 5420 wrote to memory of 3724 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 5420 wrote to memory of 3724 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 3724 wrote to memory of 4924 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 3724 wrote to memory of 4924 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 3724 wrote to memory of 1524 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 3724 wrote to memory of 1524 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4924 wrote to memory of 4068 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 4924 wrote to memory of 4068 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 4068 wrote to memory of 3396 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4068 wrote to memory of 3396 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4068 wrote to memory of 5852 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4068 wrote to memory of 5852 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 3396 wrote to memory of 4836 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 3396 wrote to memory of 4836 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 4836 wrote to memory of 6080 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4836 wrote to memory of 6080 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4836 wrote to memory of 4692 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 4836 wrote to memory of 4692 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 6080 wrote to memory of 6088 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 6080 wrote to memory of 6088 N/A C:\Windows\System32\WScript.exe C:\Program Files\7-Zip\Lang\Registry.exe
PID 6088 wrote to memory of 792 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe
PID 6088 wrote to memory of 792 N/A C:\Program Files\7-Zip\Lang\Registry.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\7-Zip\Lang\Registry.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\debug\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\MusNotification.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\de-DE\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Templates\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22156452-dd09-45d4-ae18-fd6468af8618.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d24feec2-5af4-48d0-91a4-8a0d15778e7a.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edddfa33-8d6c-4487-9834-32ab63455058.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dd23086-0c42-4795-84a1-cc49d687287e.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43558a0e-9894-454a-83f2-95e0e533ae46.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\219e93eb-bc33-4eb7-90fe-9b81c3f339e6.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f570ebb3-f735-446a-9597-d206b5e8df81.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65147756-6be1-4248-81fb-46a297fef56b.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a91b942-8f96-497f-9b95-2f34cf54b281.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae57892e-9043-401e-ac3e-00b4cb3d1f59.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ebf0c7d-dfb4-4ce6-acdb-1d47ac45e193.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50e90164-3b1e-4891-b467-f21280e63dea.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\928849f6-b62b-4353-93a4-65195f33776c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9411737-7236-4cae-983a-8853648e90e0.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0321a02f-68ac-4324-b0a9-06f3d20bccec.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b10cb25-52ef-437e-be81-3147ccd658de.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d97f5c2-c923-4e22-b4d0-0af6a22d542f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46c99728-7af6-42e6-966e-c0bf7d5d1484.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a52c5b0-c5e6-4d0e-99e9-e3e82331636f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77ab77e7-e027-43b3-9f2b-6da20bd1081e.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ce2bb3b-bd5c-4fd7-9b03-934eab621c02.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67ccac60-e583-4dcc-a3d7-6d90ceaaf2b7.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\729371c2-3b9d-425f-9ab6-60a8c1336f82.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93c7d8ad-045c-47cc-b5ac-ca86f6a91077.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3645f0ef-38bc-4604-ac6b-f46cd364f500.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8bfe4e5-da60-40d5-aa2f-e3ce31515ea4.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e9772b-728d-44fd-8d90-e49a9341260e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4259106-d483-4c9d-80d7-c3bd084f8d2d.vbs"

C:\Program Files\7-Zip\Lang\Registry.exe

"C:\Program Files\7-Zip\Lang\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\509c55a2-1419-478b-bc45-d46afe969a49.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c75efd7-ce06-4b93-b63c-fc329a85f255.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 a0941979.xsph.ru udp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
US 8.8.8.8:53 33.195.8.141.in-addr.arpa udp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.113:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp

Files

memory/3932-0-0x00007FF996023000-0x00007FF996025000-memory.dmp

memory/3932-1-0x00000000003D0000-0x000000000050A000-memory.dmp

memory/3932-2-0x00007FF996020000-0x00007FF996AE1000-memory.dmp

memory/3932-3-0x000000001B220000-0x000000001B23C000-memory.dmp

memory/3932-6-0x000000001B240000-0x000000001B250000-memory.dmp

memory/3932-5-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

memory/3932-4-0x000000001B6B0000-0x000000001B700000-memory.dmp

memory/3932-8-0x000000001B680000-0x000000001B688000-memory.dmp

memory/3932-11-0x000000001B700000-0x000000001B70C000-memory.dmp

memory/3932-10-0x000000001B690000-0x000000001B69C000-memory.dmp

memory/3932-9-0x000000001B6A0000-0x000000001B6AA000-memory.dmp

memory/3932-7-0x000000001B660000-0x000000001B676000-memory.dmp

memory/3932-14-0x000000001B730000-0x000000001B73C000-memory.dmp

memory/3932-21-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

memory/3932-19-0x000000001BA70000-0x000000001BA78000-memory.dmp

memory/3932-20-0x000000001BA80000-0x000000001BA8A000-memory.dmp

memory/3932-18-0x000000001BA60000-0x000000001BA6C000-memory.dmp

memory/3932-17-0x000000001B850000-0x000000001B85E000-memory.dmp

memory/3932-16-0x000000001B840000-0x000000001B84A000-memory.dmp

memory/3932-15-0x000000001BA90000-0x000000001BA98000-memory.dmp

memory/3932-13-0x000000001B720000-0x000000001B72C000-memory.dmp

memory/3932-12-0x000000001B710000-0x000000001B718000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe

MD5 13479ce2adfeb68235431878761f2bd0
SHA1 becd3db1ddb9494d64b2f8f28ca9dcfea5afdbb2
SHA256 56eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7
SHA512 597d1bb3e5f090bd098bcf52ba37e132175e6c29161ba1e8398875c8de230ceb3efe47f88f435b639a8ec73fd3d0a559df072b0bf4b0b9e934540f58f9615785

C:\Program Files\7-Zip\Lang\RCX4B48.tmp

MD5 0d56c034ffddff97cdb77bc7cbf2c386
SHA1 b1540f11fcbaa3ba79274ccd6c0ef56db0bb5fe6
SHA256 2e1406fb07a07d1e4601044624be0c40e9f884992332deaa36b2845759f86a11
SHA512 67fc1da5d777816cc305a93f1553504be4062e843ea760d6103a9c1e611c3ea6c3ba95975577da82c6ae06b353240ab0e0832c717fb45902f425ac8f69a1d1eb

C:\Recovery\WindowsRE\smss.exe

MD5 f425cb616327e2e8ee96d7de2ac16af9
SHA1 8963c8363d40a79b61581896f681f1cf8c225135
SHA256 28d2ac277953c6b1457c6537f4aa9d8c76ea961989a41bb9e6b76587391bf2a3
SHA512 71a3c39c383fa8aa87457b574679b7c92ee5ef1b18468b762c217a566fedbd401eefa850148d381d755eaa83455504561c8103ab9d6cbbe41526089ff4c109ee

memory/3932-182-0x00007FF996020000-0x00007FF996AE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22156452-dd09-45d4-ae18-fd6468af8618.vbs

MD5 8982751a52218176daa002eb88424080
SHA1 c16a3baeb42db26cadcd156e7b82d027403a3a20
SHA256 0b879fddb1f86cac5cc6fcd34b7564e93377cbddae0962613900fe14aee4ccdd
SHA512 98456a577bef5a83bf3a743f84131bf2b753af0892aca45643303845ea7f03d7b4b11c490631bd033d8645468d2402c96f0dcde393914766d9d0f0bde78ad23e

C:\Users\Admin\AppData\Local\Temp\d24feec2-5af4-48d0-91a4-8a0d15778e7a.vbs

MD5 ff25befcf4d6ef667a8f8ecace72c6c1
SHA1 b7a2c36cb915896f4e374ba9d5eaba607324c523
SHA256 dc140f664e2621c79ede06cbb95360408c99e1b5e1c171133fa6367e7ba39970
SHA512 5a1dcd1e9792927229adaba5712236dc2092d627b1aa85680b79e17c67016085d1925c970ff9bf19d7c139270eb400099a3bedcc94a987bfa3d19684890076bf

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

MD5 3690a1c3b695227a38625dcf27bd6dac
SHA1 c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA256 2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA512 15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

C:\Users\Admin\AppData\Local\Temp\edddfa33-8d6c-4487-9834-32ab63455058.vbs

MD5 1ec3a8426a9507a20e1d817ed6bbafc2
SHA1 e15a167a8eed8694bc9825358d89ebb09f9789af
SHA256 f896e57294e463da07a1102f61038d859094d59528f0c246517a1e9465dd8061
SHA512 b01ba3e271a7245602b5b4a2d65f176b0e57a64e20f9ea88aee6e1784a036a854282c7e538a7096c1d431f0e8eaf5a606ca19b217865f877437c80d7218de9cd

C:\Users\Admin\AppData\Local\Temp\43558a0e-9894-454a-83f2-95e0e533ae46.vbs

MD5 58dac40d92e6313eae55fcd159695f08
SHA1 765e56d521f35afe6a2881fce1a218a5d36aec02
SHA256 a407a19ce1235c707b207020a354e0db34559da2a0e95e771628b9020668bd28
SHA512 e41646a2c97c64d09a2ffa7cd21b28a1af80d2f60e9caeb71d775bef0e625e511a67a80261e1bb041f11ea6d584820785e979a393f4b3a61a44581cc1f44beab

C:\Users\Admin\AppData\Local\Temp\f570ebb3-f735-446a-9597-d206b5e8df81.vbs

MD5 ef077794a98c085c5fdfe7e2c4a26301
SHA1 1bc3a91d82b279ec6fa66cd723fdbed821698d75
SHA256 11b2368567921531fa2c3e681e7b160d589246e94c81804f13849756f67d8d4d
SHA512 9b6ea9aaf8e690452e3692cb882e305c349a9739f6ca8cd3f590ed38bdb23fcc47678eeea4d84e9e55f6949c903a8fe89cf60514f3970c3ddcc9ebef187114f6

C:\Users\Admin\AppData\Local\Temp\6a91b942-8f96-497f-9b95-2f34cf54b281.vbs

MD5 9e86119d4791c14158270fba7cf15936
SHA1 9cd55ae642c828af264b1ec5a1136e02f59c243f
SHA256 1efc9dd4bd301efd862e5628c7ef329e517aa9abdd12ad38bb09c8f84def008f
SHA512 af73b846e172c92824f039909405a4f6b95664086258130c156454a094d1b180cfa9eee50e00824814aa907232b1a5c28d649c93fc26de0fa2e9e4a1112798db

C:\Users\Admin\AppData\Local\Temp\1ebf0c7d-dfb4-4ce6-acdb-1d47ac45e193.vbs

MD5 2e35f11b6044c947f0ddf7bc9711409c
SHA1 91f5c041fc231970a76e30cde68d010ff9222125
SHA256 0c01d844c8cfb3f903430f5aef5ffdebed7674ccfe5dd1236852faca86c26550
SHA512 d3afe806f4cb2db0030411596269ba4a8a75432b47414750b059e59540dbdf90db28dd2adf7a504c320e4ca300c8150650aad78f485518d63a5bddf5c40d709a

C:\Users\Admin\AppData\Local\Temp\928849f6-b62b-4353-93a4-65195f33776c.vbs

MD5 119517ab7da090549432e131df84b1e0
SHA1 8554d85852358caadebf6bc29c7cc5b59c20766e
SHA256 54f465d19f011be5564724e1731bec8b73cb55f399afabe9305999a462341d90
SHA512 6a97e377b47f606af2183c60568fa1cf1aca2a5dcf71902a2d3cefd1948ba89f787a0c9da6fd285bca2dccb16e956095ee6a63357793a586d7611067a95713c4

C:\Users\Admin\AppData\Local\Temp\0321a02f-68ac-4324-b0a9-06f3d20bccec.vbs

MD5 01a51e79ae684e001a089d04884ffa5e
SHA1 0a86a443ee73bc9179383ca8fa1d893913f13b66
SHA256 d338090569224029bf5f3e03d426a6e87da4d14fddbee211da93e912fd0fcc40
SHA512 b0c3f3e6a49ce2ce8c35d04085ad12ae49c4389ae27af5dc1c2935e3e3d9cb14fba16f84185a52ccaeca13e58763eb63fc814e96279a94b45538167d9fc69c1d

C:\Users\Admin\AppData\Local\Temp\4d97f5c2-c923-4e22-b4d0-0af6a22d542f.vbs

MD5 b9c4385d564c67c968e39a6747084e1f
SHA1 8ddfcff6d29aadc60c964ad7a1071b4d80ebae1e
SHA256 aa09881930a37117fef7945766a73e58a6525bebf55008244f446ee0f71c82c5
SHA512 521019a231796d91abadf2217b208f66e74f421de9b31e98227ffa3bb187694d92deffafc360251a68a1ddd19a5ec9a4bb43c5a6159e4c794c54ba28f94af4c3

C:\Users\Admin\AppData\Local\Temp\8a52c5b0-c5e6-4d0e-99e9-e3e82331636f.vbs

MD5 10dbc7f4b992508bac22531dcd4f13e5
SHA1 f2dd843e38a3a268c6f5a23dc31a35cdaec811af
SHA256 c3143a3379ffeed66e3ab5799e9a1a48f8b7f283a44013708c8d0767bb30d7eb
SHA512 3c34e902c7a00c04a365b0fdf49067fc2516377407b6f8a9e37bda03a0a655da8c93ea464314a524f7ee6afb04d95ecd797e7e974bb19229fdd3ea342e42e13e

C:\Users\Admin\AppData\Local\Temp\7ce2bb3b-bd5c-4fd7-9b03-934eab621c02.vbs

MD5 0c96ece2a3123de388aa7a780f9a3343
SHA1 ac1e3b29c104dc73b923fc8cb3e19a54c1059b8d
SHA256 38230f5f6556a2f4afe87603e8ebe35f86c2dcc48b888f628a0388dbc010fb7a
SHA512 d37f4b848a84f4dcc98459e863eea2e6850672d035c6aa9c65438f13f6e58ccf04afd2308db8e08a5340882826e1ebcdc0ef41049eeb5590db75446da77185c6

C:\Users\Admin\AppData\Local\Temp\729371c2-3b9d-425f-9ab6-60a8c1336f82.vbs

MD5 ea4638002fae4bf0a226cb6899fb7d22
SHA1 e6b373554014f46bc4371cd6036e98d0bae76f43
SHA256 8d18255a8f9382b18f4c1eab431d38d087e95ba53b70c56e67bae02751ece8fb
SHA512 073308f908c9cef4a4178571049f5e1d9784d512aef8c6a001e8b501be4ab456a0a2f50f56215229b7bee011303f460336f316ad06c400b6529e49a65e8858a4

C:\Users\Admin\AppData\Local\Temp\3645f0ef-38bc-4604-ac6b-f46cd364f500.vbs

MD5 652400cc6edfdd560d4fc763fd0e4d81
SHA1 3f992b5a5d229684806bd849b4747a8fd4e7b1cb
SHA256 6203b62bc53ab5dd1fbb9e811c47572c9f97ac3fddd6f9958704b8a616140c52
SHA512 9b057ab61649217bcd11ba55e1db6aa7a8d5a203f198bb8efc23e5341441c7e2efb2d0de70cf49366ae7cc87d94bc35eeef31a477adcadae014585d5fe8432e5

C:\Users\Admin\AppData\Local\Temp\84e9772b-728d-44fd-8d90-e49a9341260e.vbs

MD5 f507ac859986d5f5456e43e07a068e35
SHA1 fc5d64b99cf4ee0a9fef7c9a56671ffd0156f825
SHA256 0e0005eb9586deb9d2d01d036ee77d1f833a7111069290ef81c9293cdfedf4fe
SHA512 5b182a20d0a06e7f17b086a397342bf0cd149cb524c4e8d4b5bcee16c2f7e012adf7e6ce9fdc0acc21015c7f5286fbd191368336d9d2b756ba4e7a5020b0529b

C:\Users\Admin\AppData\Local\Temp\509c55a2-1419-478b-bc45-d46afe969a49.vbs

MD5 5fd6ccd9887e70e826cf39c4936ec9f3
SHA1 3d4112139533c5059e0342a8fc39f24322d31434
SHA256 3e2fe0786ed358ce55b4a84de82e46e81d8c0009dab6eb13ef3454f0835a9ecd
SHA512 9148e766f738f7bd26f4392a3fea0c8ce62859f673df4c8379cfe8f37ad9090816e9883428ecd67bec3119ba9a38b73966ff906e44770b7669e7897c1587b9be

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 19:11

Reported

2024-05-14 19:13

Platform

win7-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Media\smss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Portable Devices\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCX30A5.tmp C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\Lang\csrss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Uninstall Information\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\csrss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Uninstall Information\lsass.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\lsass.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Resources\Themes\Aero\csrss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\Media\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\de-DE\101b941d020240 C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\Resources\Themes\Aero\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Resources\Themes\Aero\RCX37AA.tmp C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Resources\Themes\Aero\csrss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\Media\smss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File created C:\Windows\de-DE\lsm.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Media\smss.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\de-DE\lsm.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2100 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2100 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2476 wrote to memory of 596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2476 wrote to memory of 596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2476 wrote to memory of 596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2476 wrote to memory of 588 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
PID 2476 wrote to memory of 588 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
PID 2476 wrote to memory of 588 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
PID 588 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe C:\Windows\Media\smss.exe
PID 588 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe C:\Windows\Media\smss.exe
PID 588 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe C:\Windows\Media\smss.exe
PID 1904 wrote to memory of 1028 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1904 wrote to memory of 1028 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1904 wrote to memory of 1028 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1904 wrote to memory of 952 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1904 wrote to memory of 952 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1904 wrote to memory of 952 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1028 wrote to memory of 2384 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 1028 wrote to memory of 2384 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 1028 wrote to memory of 2384 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 2384 wrote to memory of 1664 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2384 wrote to memory of 1664 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2384 wrote to memory of 1664 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2384 wrote to memory of 2612 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2384 wrote to memory of 2612 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2384 wrote to memory of 2612 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1664 wrote to memory of 2484 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 1664 wrote to memory of 2484 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 1664 wrote to memory of 2484 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 2484 wrote to memory of 2700 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2484 wrote to memory of 2700 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2484 wrote to memory of 2700 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2484 wrote to memory of 2964 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2484 wrote to memory of 2964 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2484 wrote to memory of 2964 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2700 wrote to memory of 1912 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 2700 wrote to memory of 1912 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 2700 wrote to memory of 1912 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 1912 wrote to memory of 1388 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 1388 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 1388 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 2536 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 2536 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 2536 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1388 wrote to memory of 1836 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 1388 wrote to memory of 1836 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 1388 wrote to memory of 1836 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 1836 wrote to memory of 2856 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1836 wrote to memory of 2856 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1836 wrote to memory of 2856 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1836 wrote to memory of 2640 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1836 wrote to memory of 2640 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1836 wrote to memory of 2640 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 352 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 2856 wrote to memory of 352 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 2856 wrote to memory of 352 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe
PID 352 wrote to memory of 1592 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 352 wrote to memory of 1592 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 352 wrote to memory of 1592 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 352 wrote to memory of 1944 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 352 wrote to memory of 1944 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 352 wrote to memory of 1944 N/A C:\Windows\Media\smss.exe C:\Windows\System32\WScript.exe
PID 1592 wrote to memory of 2716 N/A C:\Windows\System32\WScript.exe C:\Windows\Media\smss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Media\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Documents\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f

C:\Windows\Media\smss.exe

"C:\Windows\Media\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43cefd7b-6e88-4ac7-a602-05260fe31e9e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92a0191-12ee-4c70-8bf4-60d3f5aaa806.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfb2d52e-83a8-4a99-90ae-3720c660371e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d2e30a7-2ef5-4ad7-9712-62f730e12777.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799bc677-0fac-4adc-9a92-b960b97de8dc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78ccda46-eaea-4073-926a-03ba0b8aa35e.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b16c6f76-e247-408c-a894-f4d349f6c600.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21a95b86-bd4e-4ab3-8ff7-c3b64f854518.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8024b097-5de2-4f1e-81a2-02127186665c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e69c453-372a-4c20-99a4-937191e4011f.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bf7f696-be4a-41cd-8316-3a7beac2b137.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9df7be74-3352-4acd-9e66-c747da92421b.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d58aebe2-93f5-4c12-a45a-c34d83e36b35.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f6a4a44-4897-42d9-b70e-8c529744a298.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1c60ae0-028d-4130-8c4b-9ca5aa13e98e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ec94f4a-0403-49fd-bf46-bf3de111a583.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a1963a4-c2b1-4584-a121-b3aea982b305.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb973434-3a47-4c2f-bab7-3804df8bda04.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc820fc2-6db9-4643-a898-85e0e30b4760.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\756a9aec-a8bd-4042-89ac-5c3c97468ae0.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69ccb2bd-6a36-4291-9c39-8300aab3e561.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34488273-3c6d-47e8-a5ab-cda0869006c3.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0116909-81f8-4b54-aa90-d0fa89f4b2c6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4215c45a-6261-4fc5-9a86-511274a6d2b1.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d68313b8-2f7b-4032-b6d7-24b38b9ca200.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fab14468-cb79-4657-958e-2b213e050e44.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76086249-f61b-437a-ab99-d44f99ded0fe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d31a3bb-589a-41ea-bac3-3b70fd68e076.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18065e9e-5672-4baf-9203-613b4a3ca4ec.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\448d9363-eb90-4697-9078-15357ad4961f.vbs"

C:\Windows\Media\smss.exe

C:\Windows\Media\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4c1917f-2bc8-4156-afc7-f20335cb0c46.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9bdf99a-148f-44ec-8b0e-ab32b6cada7a.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0941979.xsph.ru udp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp

Files

memory/2100-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

memory/2100-1-0x00000000001F0000-0x000000000032A000-memory.dmp

memory/2100-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

memory/2100-3-0x00000000001D0000-0x00000000001EC000-memory.dmp

memory/2100-4-0x0000000000590000-0x0000000000598000-memory.dmp

memory/2100-5-0x00000000005A0000-0x00000000005B0000-memory.dmp

memory/2100-6-0x0000000000720000-0x0000000000736000-memory.dmp

memory/2100-7-0x0000000000740000-0x0000000000748000-memory.dmp

memory/2100-8-0x0000000000750000-0x000000000075A000-memory.dmp

memory/2100-9-0x0000000000760000-0x000000000076C000-memory.dmp

memory/2100-10-0x0000000000770000-0x000000000077C000-memory.dmp

memory/2100-12-0x0000000000790000-0x000000000079C000-memory.dmp

memory/2100-11-0x0000000000780000-0x0000000000788000-memory.dmp

memory/2100-13-0x00000000007A0000-0x00000000007AC000-memory.dmp

memory/2100-14-0x00000000007B0000-0x00000000007B8000-memory.dmp

memory/2100-15-0x00000000007C0000-0x00000000007CA000-memory.dmp

memory/2100-16-0x00000000007D0000-0x00000000007DE000-memory.dmp

memory/2100-17-0x00000000007E0000-0x00000000007EC000-memory.dmp

memory/2100-18-0x00000000007F0000-0x00000000007F8000-memory.dmp

memory/2100-19-0x0000000002130000-0x000000000213A000-memory.dmp

memory/2100-20-0x0000000002140000-0x000000000214C000-memory.dmp

C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe

MD5 13479ce2adfeb68235431878761f2bd0
SHA1 becd3db1ddb9494d64b2f8f28ca9dcfea5afdbb2
SHA256 56eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7
SHA512 597d1bb3e5f090bd098bcf52ba37e132175e6c29161ba1e8398875c8de230ceb3efe47f88f435b639a8ec73fd3d0a559df072b0bf4b0b9e934540f58f9615785

C:\Program Files\7-Zip\Lang\csrss.exe

MD5 8dd1faa68cde0e812a381903d33692de
SHA1 a55eb88a7b454a1e2b45ca797a0715d946d0f426
SHA256 58b96de5d5d00d208062c0813530aaf43515356c028a2b34fc54a173161398e5
SHA512 5de46c2a0f23bd255ee90fc50ebf1a5643b1b7e3fa09a05d2d408b0a95f8eeebaa3027ea2169e53043c20fae7971f1331b1d969a853b5a413708bb69eabf7ad4

C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat

MD5 ca066d088e7acdb7fd91543fc3b66876
SHA1 ec64ab9730367bba1b2ee9fcfca9dfd0c03497f5
SHA256 1c4ef7d8579da91465f9b3224eff3e3d31b0c39e77d759002036a73feba9171a
SHA512 dbf5a83a9b26d1c2e5de151841b2907e488a08715b48f19190f14bcff6657ee1c57147cae5b99facf32f1fa7c14ba90419c3036f77b0b051e518b2937c2d8b8d

memory/2100-89-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

memory/588-91-0x0000000001340000-0x000000000147A000-memory.dmp

C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cc11b995f2a76d

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\59a07570a8a8386aa1a299e6ab573f686e7e81544.5.321e942f7529053d3bf5a939edfacdca5e36682859

MD5 3a225a063946b08a53a0c15d78ccc3d2
SHA1 98a4f4a89f08156c7ec875e37c10e7aaf023e0d7
SHA256 11995a323ae3bda3575b2271b2774dd1ae84fd241b285ff49566b510b088216e
SHA512 9a136356979f16598f5cffd1a17e7304c38d3caccf89d1690af5b5cced0527436377642abdf6c042976f0ffd804ad22001fbd4336bb38e5b7089fa1e5c26595b

memory/1904-170-0x0000000000200000-0x000000000033A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\43cefd7b-6e88-4ac7-a602-05260fe31e9e.vbs

MD5 a2690f7c29639a2bda303bf3681a942b
SHA1 d66814cab43023047dcc60bc1b2d65fe6f1bf04a
SHA256 2ab971890dc461581eab64568eeb84e1f2eb9d85e3f2b726c5feb10b470e378a
SHA512 d8716f4e06227a8ec8cc9588210aafb7f9126f10fdbe6f7cba99772c2744dbba65a0f8b01d9b282247eb7a628948371f6f50abad83560d3aa3d832a1e38199a7

C:\Users\Admin\AppData\Local\Temp\f92a0191-12ee-4c70-8bf4-60d3f5aaa806.vbs

MD5 f44c443d810b0da5a22810d0175aa1ff
SHA1 fcd7ca2134af6b35967a3f5046b43ee1edaa1081
SHA256 132ff8e336af741e7422b3cf75ca578439dff7c2eccc0de2f05caec2d6a23808
SHA512 21662ebecbb48afe23f3ee8c34bec7882f9fcc25b3e1e655db7d0b81edcb0b403f9f370f1f91fb8fb6ca3c728d116a747c545c26e50ccb0c2b5cc61830e17222

memory/2384-181-0x0000000001070000-0x00000000011AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dfb2d52e-83a8-4a99-90ae-3720c660371e.vbs

MD5 996eb8a3a408aadfefb9c140e9cd6a3a
SHA1 45d36af5214a45a776b97265ebb49beac10e9d42
SHA256 b6e1c06885966cfc3caeb293510322f88a57664adb90e2f1a7f555f040fc5235
SHA512 ade410c168f6cf51b7a3bfa92b62d08fa030afd6c2b10300d9fbdaf4b84e82342700c978502de332f481b8219eb986452e2d98f0a48425a7e107aad7c4984396

C:\Users\Admin\AppData\Local\Temp\debd640cb03d667c44d4623e5aca94fa2dcf0604.exe

MD5 6bb133ad7863bf2b0919d49cfc84fb53
SHA1 6c6d8e7d38baa8eef16db3c50b592d51aac0f48e
SHA256 368a3045eeeb3899c8456e25e5404ce4d621b6b7dc5a0f3867d0cf3f451bc01b
SHA512 c862c4194a00ad411e6494720288dadc5fee13215d52ec2eabdc8a861dbcdc2f5c695e92c42291830f322fb377cb82f326d73abca57e79f898c9c2ddd80e1a44

C:\Users\Admin\AppData\Local\Temp\799bc677-0fac-4adc-9a92-b960b97de8dc.vbs

MD5 fa44ca3284f2e1eddff392a8f0c8fcd8
SHA1 a8b36d50ca97bdb2d48c67f9284e4d9eae008762
SHA256 ef05c1f56837f6e770325f03505e799a6e219d7a606624c1ee72598b8518a6b3
SHA512 b6f9252a6d850662a1be0b171a7968432ab840cbd84bcce4a0ffdafe9c5a2ae09a8dcd6de1628395ba13c293785dc4a9a39b6d6b4fc858b91e1ccfc42798a866

C:\Users\Admin\AppData\Local\Temp\b16c6f76-e247-408c-a894-f4d349f6c600.vbs

MD5 72af41a91497c7bb36072492c9c83be0
SHA1 62469c691670a430b9b9471216eb81e238030cf4
SHA256 6322c98ede3a41f07b40f01b3fbfbaa4621291314d719c3e4a5b969b6f636770
SHA512 cdf96eaad60dae2d4f481e3ed9c5c3e2d23017534b0e2bbd22b0d9364e5677688d5c9e2cdbce22e9d64c4e32cf78969666325a97bba96ff956eb2a8d1ed1034e

memory/1836-215-0x00000000000B0000-0x00000000001EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8024b097-5de2-4f1e-81a2-02127186665c.vbs

MD5 857ab19c11ed26bd453da5000ffdfdeb
SHA1 9cac53a060548d0278e0c98a11fcc51f93dc1310
SHA256 58dd27e344c10fc77eee19524da4551b48d070e8e3cc4b580258937f1b3b1df3
SHA512 121bb37cd28269668a9d98395031c3f02557fa89a31a25047e2706462755728364d82daca7b46360411947b5d0b93f6f9d1281da1c512f6e5a77f32bcd7eefb8

memory/352-227-0x0000000000EC0000-0x0000000000FFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7bf7f696-be4a-41cd-8316-3a7beac2b137.vbs

MD5 8415707aa1ad109d89da3b4250e35059
SHA1 e8f6108c86b7ab588418f89e369ac9c786208406
SHA256 4f2cc22adb5abf148737a45f07dfcf648fef2a446d6c0723d139f489fb5d542d
SHA512 04d4a0592619f4b7afa1311e2b7c981950768aaf2af6afa09c99b48fea190decb7e8b8371f61ba1358e73aa6b7315296828e64483942a64e9dee342ed600117a

C:\Users\Admin\AppData\Local\Temp\d58aebe2-93f5-4c12-a45a-c34d83e36b35.vbs

MD5 d7c42b5f49df229b3b19366bf7b56390
SHA1 cb6095be7c504a130aed7ddd8337599a9086d2c2
SHA256 f1d1e0790bff9093c87eaba982eed77f0e8cb36085414c6fd0408c23ddde8f01
SHA512 7e1e9a48a2c295f9e783509ec9f68bd39ee16ed5eda4bb588d91ed1bad77b711081391fb2ed57f2c7aeb0c6c35460c86c3f5ec2073968bddd93569dfa56ceaf8

memory/2960-250-0x0000000000F90000-0x00000000010CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e1c60ae0-028d-4130-8c4b-9ca5aa13e98e.vbs

MD5 2535cb689859ca944a58fd28c96f4309
SHA1 d2d58a068153cba478e5e411d2b10106cbcfd1bf
SHA256 fd05728726ad5290d4ec9b8a54a8932cb2cc684224a7373f216cc48d3e2a3f00
SHA512 152e6062e80174efbb74f17c9fb51bbcfc451e2e1da749a4296058c73ab143450435d925ca400ae185203594a84ff2f5cea316ce3108801d8b7c87860a435695

memory/2284-262-0x0000000001060000-0x000000000119A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9a1963a4-c2b1-4584-a121-b3aea982b305.vbs

MD5 c2ccdd86f92764f5df76181681eb42db
SHA1 0ebe5e0ec018265ac783b5183f94d23394ad141d
SHA256 4b05d71254db504055668ea7658249a66f83c3e14e98ffbfac2998b3bab4d514
SHA512 debc77b40ca5bfd877b9987e710afc0764b099663382ccc5e3cd40ed0437f2fe958592b7741a1f1a056baafe234ebe1a9e380a2ee33e99beca9e3f54b291f0f4

C:\Users\Admin\AppData\Local\Temp\fc820fc2-6db9-4643-a898-85e0e30b4760.vbs

MD5 8e2504782887ef9dd5bb62e0ca61d58f
SHA1 37b774258fe9ea7e475b08aaa9d97ba39515d2b7
SHA256 612280850f4a85184ca56964ec22b0d148d7f79ac176abe773db0a170cd226b7
SHA512 99949402afbf04c80d1bba81bbbd22f0236dbbfc246349e83e146f16db830acd1901d6d386a251b9f03905cfeb69f00f96a66d3090f5a9c9e2664ec083be1899

C:\Users\Admin\AppData\Local\Temp\69ccb2bd-6a36-4291-9c39-8300aab3e561.vbs

MD5 4455118f17744376a1e4d0f34689858d
SHA1 22e671d6a717de0328fea0d6ea3b9ef8d10a1d42
SHA256 2bc3facc661f41d8302b2af886fbf3adedf0bd56d69400c6cc3c69f759694705
SHA512 a9cf9de629f6b15902c5dc11e0a64940762cdd79d0048169e1892f3c71dbb45d0a3602f2fa2d9fa5399d1977caeafaee72bc625c2dd650d2570aa1d791bdd21b

C:\Users\Admin\AppData\Local\Temp\e0116909-81f8-4b54-aa90-d0fa89f4b2c6.vbs

MD5 d90cde2b33be1187fea97f338e775f25
SHA1 9ae8fd319747c8a50b28761c0508f46d2319b877
SHA256 46a01a6f4d73966f6e02a3d1d2aac26039dc641042187da4528ac0e95f35daeb
SHA512 8099d8e08cae6afd0eaaa2295b74db89932305fd6f3dc159bac04ef668f36ec83ff36b43d2f6758dfac65a58cdf6fba20bd979194e566bd58026df4309f75e71

C:\Users\Admin\AppData\Local\Temp\d68313b8-2f7b-4032-b6d7-24b38b9ca200.vbs

MD5 649435c2b51bcd3011e67affcc457772
SHA1 ef4733d85116975b0ca6e0f847fc91078ed0b27b
SHA256 a6e8d26b29cd97eb20ea6ea93a1c2110f95778398c532aba04ed327e4ac7c070
SHA512 1098454ac1800cfd0496568d3d15d729274e8c713146be708280ddf7358ddbe825b54fc3a5d52f4f2971b9532d66229f0d6a979e58256e21b689748b3e59dd96

memory/2580-318-0x00000000013D0000-0x000000000150A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\76086249-f61b-437a-ab99-d44f99ded0fe.vbs

MD5 e472e20165a4bb94474d7ffe5487c4a3
SHA1 3b73d0d95dc54588b97d7b682cf5ac499c4cabab
SHA256 1c69bd873068096a545aa8d46da52ac43db88c2684403eba35dc59467825ab31
SHA512 c99ad189f47c2a91961a9c48bc10718fe6069e33b405aea84991f3d644a49271fdb9df1755e0ec0fa8963bc3b07abcbde1b45682f7062684891aafe0d47666e7

C:\Users\Admin\AppData\Local\Temp\18065e9e-5672-4baf-9203-613b4a3ca4ec.vbs

MD5 27837288ba3b4f35fbf253f84ae684d4
SHA1 4aaa0515c7f5ddb817c99f1c7a40ca5b989d7ca3
SHA256 c72ec4057c8169ced3060e2033074c96755601b6eeba4f301b22fbf6fc6f109c
SHA512 2e99b7bf90f5e88ce70c1b0a790097622ab22ae4c2dea3d3fd019ef8322e608ac8477b6931c21ff4926d23792e60a4a8460357b85816415d1f4c6be5218e82b4

memory/2996-339-0x00000000000F0000-0x000000000022A000-memory.dmp