Malware Analysis Report

2024-11-15 05:49

Sample ID 240515-bntfraad74
Target 57a247f9f8794206cc585e249c645a30_NeikiAnalytics
SHA256 b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2
Tags
rat dcrat evasion execution infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2

Threat Level: Known bad

The file 57a247f9f8794206cc585e249c645a30_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer persistence trojan

Modifies WinLogon for persistence

DCRat payload

Dcrat family

UAC bypass

DcRat

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 01:17

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 01:17

Reported

2024-05-15 01:20

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\services.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Start Menu\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Java\\jre7\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\Favorites\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Java\\jre7\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Sidebar\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\Favorites\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Sidebar\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Start Menu\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\services.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre7\RCX3401.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre7\lsm.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\services.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\es-ES\dllhost.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\services.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\services.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Google\services.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX3604.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\es-ES\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\es-ES\RCX3EFE.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\RCX43E0.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX4C5C.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCX4E60.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\es-ES\dllhost.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre7\lsm.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre7\101b941d020240 C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX2D88.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\RCX4651.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files\Windows Sidebar\services.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files\Windows Sidebar\services.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\services.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Pictures\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Pictures\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\es-ES\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\es-ES\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Program Files\Windows Sidebar\services.exe

"C:\Program Files\Windows Sidebar\services.exe"

Network

Country Destination Domain Proto
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp

Files

memory/2492-0-0x000007FEF5363000-0x000007FEF5364000-memory.dmp

memory/2492-1-0x0000000000EF0000-0x00000000011B0000-memory.dmp

memory/2492-2-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

memory/2492-3-0x00000000002C0000-0x00000000002C8000-memory.dmp

memory/2492-4-0x00000000009F0000-0x0000000000A0C000-memory.dmp

memory/2492-6-0x0000000000440000-0x0000000000450000-memory.dmp

memory/2492-5-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/2492-7-0x0000000000A10000-0x0000000000A26000-memory.dmp

memory/2492-8-0x0000000000A30000-0x0000000000A38000-memory.dmp

memory/2492-9-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/2492-10-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

memory/2492-11-0x0000000000B40000-0x0000000000B4A000-memory.dmp

memory/2492-12-0x000000001A930000-0x000000001A986000-memory.dmp

memory/2492-13-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

memory/2492-14-0x000000001A980000-0x000000001A988000-memory.dmp

memory/2492-15-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

memory/2492-16-0x000000001A990000-0x000000001A998000-memory.dmp

memory/2492-17-0x000000001A9A0000-0x000000001A9AC000-memory.dmp

memory/2492-18-0x000000001A9B0000-0x000000001A9BC000-memory.dmp

memory/2492-19-0x000000001A9F0000-0x000000001A9F8000-memory.dmp

memory/2492-20-0x000000001A9D0000-0x000000001A9D8000-memory.dmp

memory/2492-21-0x000000001A9C0000-0x000000001A9CC000-memory.dmp

memory/2492-22-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

memory/2492-23-0x000000001AA00000-0x000000001AA08000-memory.dmp

memory/2492-24-0x000000001AA10000-0x000000001AA1A000-memory.dmp

memory/2492-25-0x000000001AA20000-0x000000001AA2C000-memory.dmp

memory/2492-26-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

C:\Program Files\Java\jre7\lsm.exe

MD5 57a247f9f8794206cc585e249c645a30
SHA1 62181064bcea86150b2bc7c800c026b3e8054aa3
SHA256 b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2
SHA512 f0fb8bdebce741d8aeee50243899d5f2e4c5bc4be16d7a2c40fa5400deec37945382ea34ed888c8920461ce42a1f50e55e57b28e9132e76b7267ea36945ca3da

C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe

MD5 13990a3ac73e1d814da94d3d141a7487
SHA1 68da3ec90ed58854b51679ac2d3f7293c145f341
SHA256 2d7e9e3c60ec2ed4376b2ccefe83bf8836352b094865761aec39ae1e85cb0f6a
SHA512 0b46b28833500a5bf67db7b12e846edaa92b67db9577dbe1d3189f32e004c9b984b9b117c438bb6ac047220f1abd07c94c3fada9328733afa24b2d8a83b40930

C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe

MD5 33f550e3f6961449918a702dbd733ab7
SHA1 637a107980a078c242f6a821b683458302754863
SHA256 23a4c3d43695572aa558e5f8c400adc2a9987bb57e83a066093359356793d59f
SHA512 8fefdc7fbeec3ce2226e63a418656e23a199ed18804929c18f9dbd50400e2aae898cc0cdd28bdc84c7759dcad638e9b9ae450504074ee61902410a8e6dd5471d

C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe

MD5 2aba29fb0547ccd9ceca78fd2775502e
SHA1 ed9a1b97e1131e5649990e72267593dc6f68c66d
SHA256 d23aee48e2a09bd96b12f9a921ae8b9a42d41d854c9338bd66b75c5399bd6deb
SHA512 5095b9b8addf78212a74a6df79aa843e67231755984c0aa45cfa7bd13a6c405a0b132f20631933dec28290737d17345261a1aa6c308b8d342360d553f8f088d0

memory/1468-186-0x00000000011A0000-0x0000000001460000-memory.dmp

memory/2288-189-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/2288-188-0x000000001B660000-0x000000001B942000-memory.dmp

memory/2492-187-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 01:17

Reported

2024-05-15 01:20

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\dotnet\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Google\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\dotnet\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Application Data\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Media Player\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Application Data\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Google\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Media Player\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Portable Devices\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Portable Devices\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\winlogon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Portable Devices\services.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\VLC\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\dotnet\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Portable Devices\winlogon.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Portable Devices\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RCX51AE.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\services.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX6145.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX684D.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\VLC\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\services.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX4FA9.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\winlogon.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\RCX5CBF.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX63C7.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\services.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\dotnet\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\RCX5839.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\RCX6649.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\RCX4D76.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCX5EC4.tmp C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Portable Devices\winlogon.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\winlogon.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\dotnet\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYX5El6vYF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Portable Devices\winlogon.exe

"C:\Program Files\Windows Portable Devices\winlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp
US 8.8.8.8:53 250.255.250.94.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/2928-0-0x00007FFB824E3000-0x00007FFB824E5000-memory.dmp

memory/2928-1-0x00000000005A0000-0x0000000000860000-memory.dmp

memory/2928-2-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp

memory/2928-3-0x000000001B350000-0x000000001B358000-memory.dmp

memory/2928-4-0x000000001B360000-0x000000001B37C000-memory.dmp

memory/2928-5-0x000000001BB70000-0x000000001BBC0000-memory.dmp

memory/2928-7-0x000000001B390000-0x000000001B3A0000-memory.dmp

memory/2928-6-0x000000001B380000-0x000000001B388000-memory.dmp

memory/2928-8-0x000000001B3A0000-0x000000001B3B6000-memory.dmp

memory/2928-10-0x000000001B3E0000-0x000000001B3E8000-memory.dmp

memory/2928-9-0x000000001B3D0000-0x000000001B3D8000-memory.dmp

memory/2928-11-0x000000001B3F0000-0x000000001B400000-memory.dmp

memory/2928-12-0x000000001B400000-0x000000001B40A000-memory.dmp

memory/2928-13-0x000000001BB20000-0x000000001BB76000-memory.dmp

memory/2928-14-0x000000001BBC0000-0x000000001BBC8000-memory.dmp

memory/2928-15-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

memory/2928-16-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

memory/2928-17-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

memory/2928-18-0x000000001BC00000-0x000000001BC0C000-memory.dmp

memory/2928-19-0x000000001BC10000-0x000000001BC1C000-memory.dmp

memory/2928-20-0x000000001BE70000-0x000000001BE78000-memory.dmp

memory/2928-22-0x000000001BE30000-0x000000001BE3C000-memory.dmp

memory/2928-24-0x000000001BE50000-0x000000001BE58000-memory.dmp

memory/2928-23-0x000000001BE40000-0x000000001BE4C000-memory.dmp

memory/2928-21-0x000000001BD20000-0x000000001BD28000-memory.dmp

memory/2928-26-0x000000001BEC0000-0x000000001BECC000-memory.dmp

memory/2928-25-0x000000001BE60000-0x000000001BE6A000-memory.dmp

memory/2928-27-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp

memory/2928-30-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp

C:\Recovery\WindowsRE\backgroundTaskHost.exe

MD5 57a247f9f8794206cc585e249c645a30
SHA1 62181064bcea86150b2bc7c800c026b3e8054aa3
SHA256 b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2
SHA512 f0fb8bdebce741d8aeee50243899d5f2e4c5bc4be16d7a2c40fa5400deec37945382ea34ed888c8920461ce42a1f50e55e57b28e9132e76b7267ea36945ca3da

C:\Program Files\VideoLAN\VLC\taskhostw.exe

MD5 b89e7dee183931b0505775b76e8414e1
SHA1 2755d7240e3cb5530ae8f119e4811a60528f2d42
SHA256 d3592c4629890388ddd2243bdb14dcad8f7d409075d0fcf422b091de24673bf9
SHA512 6d253fc961ca46035772c8796424c373391c095be10f9c54bcbfc9c5b9bd20bfafff51713bcaa87692f7cbede3566010721e9b7d8c4fc56ef10a2ac276be20df

memory/2928-166-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lpdwvipm.3un.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2588-176-0x000001DDFEF80000-0x000001DDFEFA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wYX5El6vYF.bat

MD5 b269dc32ea3ef55eaeae55361dcc6a6f
SHA1 994fd368c49b538f48a26b8852893f5eaa913026
SHA256 cf703e48081d799671f4d95e804d72c196d689624e2540e896e904e3abc7475a
SHA512 b36cc0a275dc4aedd1ea38dd97597de67fb072a08fa5fb6482ed11e3229cd5ef1ac160bbe56286d94249a814c7bc493747444678166356910187536ceb0abfb4

C:\Program Files\Windows Portable Devices\winlogon.exe

MD5 e147292cc17642d7cc7a9666a57c4eef
SHA1 7b83b0cd8aa1969465881f6c7faf5426c64e2ac0
SHA256 a489e5bd2054857ac8fa3bb874d6e59130c34317713a4a8cf3793d5ce6dec0b2
SHA512 8693639bd7e4f41aba578d1a661b650108f1f4c87d74accb1a87cca7dbf06bd410141b32c1d689d567119651416d40d2fe183f9e0a3f3bf8ba589ef53b5e2ada

memory/1444-183-0x0000000000B40000-0x0000000000E00000-memory.dmp

memory/1444-184-0x000000001C130000-0x000000001C186000-memory.dmp