Analysis Overview
SHA256
b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2
Threat Level: Known bad
The file 57a247f9f8794206cc585e249c645a30_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
DCRat payload
Dcrat family
UAC bypass
DcRat
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-15 01:17
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 01:17
Reported
2024-05-15 01:20
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Sidebar\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Sidebar\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Sidebar\services.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Sidebar\services.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Start Menu\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Java\\jre7\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\Favorites\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Java\\jre7\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Sidebar\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\Favorites\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Sidebar\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Start Menu\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Sidebar\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Sidebar\services.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Creates scheduled task(s)
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Program Files\Windows Sidebar\services.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Program Files\Windows Sidebar\services.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Sidebar\services.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Sidebar\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Sidebar\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Sidebar\services.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Pictures\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Pictures\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\es-ES\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\es-ES\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
C:\Program Files\Windows Sidebar\services.exe
"C:\Program Files\Windows Sidebar\services.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 94.250.255.250:80 | 94.250.255.250 | tcp |
| RU | 94.250.255.250:443 | tcp | |
| RU | 94.250.255.250:443 | tcp |
Files
memory/2492-0-0x000007FEF5363000-0x000007FEF5364000-memory.dmp
memory/2492-1-0x0000000000EF0000-0x00000000011B0000-memory.dmp
memory/2492-2-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp
memory/2492-3-0x00000000002C0000-0x00000000002C8000-memory.dmp
memory/2492-4-0x00000000009F0000-0x0000000000A0C000-memory.dmp
memory/2492-6-0x0000000000440000-0x0000000000450000-memory.dmp
memory/2492-5-0x00000000002D0000-0x00000000002D8000-memory.dmp
memory/2492-7-0x0000000000A10000-0x0000000000A26000-memory.dmp
memory/2492-8-0x0000000000A30000-0x0000000000A38000-memory.dmp
memory/2492-9-0x0000000000B30000-0x0000000000B38000-memory.dmp
memory/2492-10-0x0000000000EC0000-0x0000000000ED0000-memory.dmp
memory/2492-11-0x0000000000B40000-0x0000000000B4A000-memory.dmp
memory/2492-12-0x000000001A930000-0x000000001A986000-memory.dmp
memory/2492-13-0x0000000000ED0000-0x0000000000ED8000-memory.dmp
memory/2492-14-0x000000001A980000-0x000000001A988000-memory.dmp
memory/2492-15-0x0000000000EE0000-0x0000000000EEC000-memory.dmp
memory/2492-16-0x000000001A990000-0x000000001A998000-memory.dmp
memory/2492-17-0x000000001A9A0000-0x000000001A9AC000-memory.dmp
memory/2492-18-0x000000001A9B0000-0x000000001A9BC000-memory.dmp
memory/2492-19-0x000000001A9F0000-0x000000001A9F8000-memory.dmp
memory/2492-20-0x000000001A9D0000-0x000000001A9D8000-memory.dmp
memory/2492-21-0x000000001A9C0000-0x000000001A9CC000-memory.dmp
memory/2492-22-0x000000001A9E0000-0x000000001A9EC000-memory.dmp
memory/2492-23-0x000000001AA00000-0x000000001AA08000-memory.dmp
memory/2492-24-0x000000001AA10000-0x000000001AA1A000-memory.dmp
memory/2492-25-0x000000001AA20000-0x000000001AA2C000-memory.dmp
memory/2492-26-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp
C:\Program Files\Java\jre7\lsm.exe
| MD5 | 57a247f9f8794206cc585e249c645a30 |
| SHA1 | 62181064bcea86150b2bc7c800c026b3e8054aa3 |
| SHA256 | b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2 |
| SHA512 | f0fb8bdebce741d8aeee50243899d5f2e4c5bc4be16d7a2c40fa5400deec37945382ea34ed888c8920461ce42a1f50e55e57b28e9132e76b7267ea36945ca3da |
C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe
| MD5 | 13990a3ac73e1d814da94d3d141a7487 |
| SHA1 | 68da3ec90ed58854b51679ac2d3f7293c145f341 |
| SHA256 | 2d7e9e3c60ec2ed4376b2ccefe83bf8836352b094865761aec39ae1e85cb0f6a |
| SHA512 | 0b46b28833500a5bf67db7b12e846edaa92b67db9577dbe1d3189f32e004c9b984b9b117c438bb6ac047220f1abd07c94c3fada9328733afa24b2d8a83b40930 |
C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe
| MD5 | 33f550e3f6961449918a702dbd733ab7 |
| SHA1 | 637a107980a078c242f6a821b683458302754863 |
| SHA256 | 23a4c3d43695572aa558e5f8c400adc2a9987bb57e83a066093359356793d59f |
| SHA512 | 8fefdc7fbeec3ce2226e63a418656e23a199ed18804929c18f9dbd50400e2aae898cc0cdd28bdc84c7759dcad638e9b9ae450504074ee61902410a8e6dd5471d |
C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
| MD5 | 2aba29fb0547ccd9ceca78fd2775502e |
| SHA1 | ed9a1b97e1131e5649990e72267593dc6f68c66d |
| SHA256 | d23aee48e2a09bd96b12f9a921ae8b9a42d41d854c9338bd66b75c5399bd6deb |
| SHA512 | 5095b9b8addf78212a74a6df79aa843e67231755984c0aa45cfa7bd13a6c405a0b132f20631933dec28290737d17345261a1aa6c308b8d342360d553f8f088d0 |
memory/1468-186-0x00000000011A0000-0x0000000001460000-memory.dmp
memory/2288-189-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/2288-188-0x000000001B660000-0x000000001B942000-memory.dmp
memory/2492-187-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-15 01:17
Reported
2024-05-15 01:20
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files\\Google\\services.exe\", \"C:\\Program Files\\Windows Portable Devices\\services.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\All Users\\Application Data\\services.exe\", \"C:\\Program Files\\dotnet\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Portable Devices\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Portable Devices\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Portable Devices\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Portable Devices\winlogon.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\dotnet\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Google\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\dotnet\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Application Data\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Media Player\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Application Data\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Google\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Admin\\Cookies\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Media Player\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Portable Devices\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Portable Devices\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Portable Devices\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Portable Devices\winlogon.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Portable Devices\winlogon.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Portable Devices\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Portable Devices\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Portable Devices\winlogon.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Media Renderer\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\dotnet\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYX5El6vYF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Portable Devices\winlogon.exe
"C:\Program Files\Windows Portable Devices\winlogon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| RU | 94.250.255.250:80 | 94.250.255.250 | tcp |
| RU | 94.250.255.250:443 | tcp | |
| RU | 94.250.255.250:443 | tcp | |
| US | 8.8.8.8:53 | 250.255.250.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/2928-0-0x00007FFB824E3000-0x00007FFB824E5000-memory.dmp
memory/2928-1-0x00000000005A0000-0x0000000000860000-memory.dmp
memory/2928-2-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp
memory/2928-3-0x000000001B350000-0x000000001B358000-memory.dmp
memory/2928-4-0x000000001B360000-0x000000001B37C000-memory.dmp
memory/2928-5-0x000000001BB70000-0x000000001BBC0000-memory.dmp
memory/2928-7-0x000000001B390000-0x000000001B3A0000-memory.dmp
memory/2928-6-0x000000001B380000-0x000000001B388000-memory.dmp
memory/2928-8-0x000000001B3A0000-0x000000001B3B6000-memory.dmp
memory/2928-10-0x000000001B3E0000-0x000000001B3E8000-memory.dmp
memory/2928-9-0x000000001B3D0000-0x000000001B3D8000-memory.dmp
memory/2928-11-0x000000001B3F0000-0x000000001B400000-memory.dmp
memory/2928-12-0x000000001B400000-0x000000001B40A000-memory.dmp
memory/2928-13-0x000000001BB20000-0x000000001BB76000-memory.dmp
memory/2928-14-0x000000001BBC0000-0x000000001BBC8000-memory.dmp
memory/2928-15-0x000000001BBD0000-0x000000001BBD8000-memory.dmp
memory/2928-16-0x000000001BBE0000-0x000000001BBEC000-memory.dmp
memory/2928-17-0x000000001BBF0000-0x000000001BBF8000-memory.dmp
memory/2928-18-0x000000001BC00000-0x000000001BC0C000-memory.dmp
memory/2928-19-0x000000001BC10000-0x000000001BC1C000-memory.dmp
memory/2928-20-0x000000001BE70000-0x000000001BE78000-memory.dmp
memory/2928-22-0x000000001BE30000-0x000000001BE3C000-memory.dmp
memory/2928-24-0x000000001BE50000-0x000000001BE58000-memory.dmp
memory/2928-23-0x000000001BE40000-0x000000001BE4C000-memory.dmp
memory/2928-21-0x000000001BD20000-0x000000001BD28000-memory.dmp
memory/2928-26-0x000000001BEC0000-0x000000001BECC000-memory.dmp
memory/2928-25-0x000000001BE60000-0x000000001BE6A000-memory.dmp
memory/2928-27-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp
memory/2928-30-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp
C:\Recovery\WindowsRE\backgroundTaskHost.exe
| MD5 | 57a247f9f8794206cc585e249c645a30 |
| SHA1 | 62181064bcea86150b2bc7c800c026b3e8054aa3 |
| SHA256 | b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2 |
| SHA512 | f0fb8bdebce741d8aeee50243899d5f2e4c5bc4be16d7a2c40fa5400deec37945382ea34ed888c8920461ce42a1f50e55e57b28e9132e76b7267ea36945ca3da |
C:\Program Files\VideoLAN\VLC\taskhostw.exe
| MD5 | b89e7dee183931b0505775b76e8414e1 |
| SHA1 | 2755d7240e3cb5530ae8f119e4811a60528f2d42 |
| SHA256 | d3592c4629890388ddd2243bdb14dcad8f7d409075d0fcf422b091de24673bf9 |
| SHA512 | 6d253fc961ca46035772c8796424c373391c095be10f9c54bcbfc9c5b9bd20bfafff51713bcaa87692f7cbede3566010721e9b7d8c4fc56ef10a2ac276be20df |
memory/2928-166-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lpdwvipm.3un.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2588-176-0x000001DDFEF80000-0x000001DDFEFA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wYX5El6vYF.bat
| MD5 | b269dc32ea3ef55eaeae55361dcc6a6f |
| SHA1 | 994fd368c49b538f48a26b8852893f5eaa913026 |
| SHA256 | cf703e48081d799671f4d95e804d72c196d689624e2540e896e904e3abc7475a |
| SHA512 | b36cc0a275dc4aedd1ea38dd97597de67fb072a08fa5fb6482ed11e3229cd5ef1ac160bbe56286d94249a814c7bc493747444678166356910187536ceb0abfb4 |
C:\Program Files\Windows Portable Devices\winlogon.exe
| MD5 | e147292cc17642d7cc7a9666a57c4eef |
| SHA1 | 7b83b0cd8aa1969465881f6c7faf5426c64e2ac0 |
| SHA256 | a489e5bd2054857ac8fa3bb874d6e59130c34317713a4a8cf3793d5ce6dec0b2 |
| SHA512 | 8693639bd7e4f41aba578d1a661b650108f1f4c87d74accb1a87cca7dbf06bd410141b32c1d689d567119651416d40d2fe183f9e0a3f3bf8ba589ef53b5e2ada |
memory/1444-183-0x0000000000B40000-0x0000000000E00000-memory.dmp
memory/1444-184-0x000000001C130000-0x000000001C186000-memory.dmp