Analysis Overview
SHA256
ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9
Threat Level: Known bad
The file 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
UAC bypass
DcRat
DCRat payload
Dcrat family
Modifies WinLogon for persistence
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Modifies system certificate store
System policy modification
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-15 05:14
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 05:14
Reported
2024-05-15 05:17
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\wininit.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Local Settings\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Local Settings\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Sidebar\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Sidebar\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\wininit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Filters\RCX142F.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\RCX18A4.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\de-DE\56085415360792 | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\f3b6ecef712a24 | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\Filters\0a1fd5f707cd16 | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\cc11b995f2a76d | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Default User\wininit.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Default User\wininit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\wininit.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IFf9IaIrAX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 94.250.255.250:80 | 94.250.255.250 | tcp |
| RU | 94.250.255.250:443 | tcp | |
| RU | 94.250.255.250:443 | tcp |
Files
memory/2956-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp
memory/2956-1-0x0000000000BE0000-0x0000000000EA0000-memory.dmp
memory/2956-2-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp
memory/2956-3-0x0000000000150000-0x0000000000158000-memory.dmp
memory/2956-4-0x00000000004F0000-0x000000000050C000-memory.dmp
memory/2956-5-0x0000000000160000-0x0000000000168000-memory.dmp
memory/2956-6-0x0000000000510000-0x0000000000520000-memory.dmp
memory/2956-7-0x0000000000530000-0x0000000000546000-memory.dmp
memory/2956-8-0x0000000000550000-0x0000000000558000-memory.dmp
memory/2956-9-0x0000000000A80000-0x0000000000A88000-memory.dmp
memory/2956-10-0x0000000000AA0000-0x0000000000AB0000-memory.dmp
memory/2956-11-0x0000000000A90000-0x0000000000A9A000-memory.dmp
memory/2956-12-0x000000001A990000-0x000000001A9E6000-memory.dmp
memory/2956-13-0x0000000000AB0000-0x0000000000AB8000-memory.dmp
memory/2956-14-0x0000000000AC0000-0x0000000000AC8000-memory.dmp
memory/2956-15-0x0000000000AD0000-0x0000000000ADC000-memory.dmp
memory/2956-16-0x0000000000BD0000-0x0000000000BD8000-memory.dmp
memory/2956-17-0x000000001A9E0000-0x000000001A9EC000-memory.dmp
memory/2956-18-0x000000001A9F0000-0x000000001A9FC000-memory.dmp
memory/2956-19-0x000000001AA00000-0x000000001AA08000-memory.dmp
memory/2956-20-0x000000001AB20000-0x000000001AB28000-memory.dmp
memory/2956-21-0x000000001AB10000-0x000000001AB1C000-memory.dmp
memory/2956-22-0x000000001AB30000-0x000000001AB3C000-memory.dmp
memory/2956-25-0x000000001AF30000-0x000000001AF3C000-memory.dmp
memory/2956-24-0x000000001AF20000-0x000000001AF2A000-memory.dmp
memory/2956-23-0x000000001AB40000-0x000000001AB48000-memory.dmp
memory/2956-26-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp
C:\Program Files (x86)\Windows Defender\winlogon.exe
| MD5 | 86ef16b6eb613bff73f73a75b7236310 |
| SHA1 | 3de6bea5685131148fb7ef9b07c6dcce2d643929 |
| SHA256 | ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9 |
| SHA512 | 9fd4a0bcbe5a454ea660d4ca6d7524161c2fe817be60e26d511e3f04093e1c6e0b10a11ba25ee3d709b766b63f9c5344d84ef448f5dc44884506a07b862c8e94 |
memory/2956-82-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp
memory/1124-87-0x000000001B760000-0x000000001BA42000-memory.dmp
memory/1124-88-0x0000000001ED0000-0x0000000001ED8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b192355378d7bcfaa642fc8da264ec49 |
| SHA1 | aab9c22bbb0bc31b0d8ac7dfe4d04a2623cedbd7 |
| SHA256 | e0d1936b40c311ba873830ef700d6f9be68a0a161c06e4954921728f8c3bd1b6 |
| SHA512 | 9fbd0af75c9cbb173d4569f8355e9db0b4dbc1bd85eca0a03aee18a30ab16fdceb4077fdbca88a9712429e1d36dada162021885185d2cce93c8adeb3e986e833 |
memory/2472-130-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/2472-131-0x0000000002000000-0x0000000002008000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IFf9IaIrAX.bat
| MD5 | c6a6df61dc5119b1e88ca3a29123bbe0 |
| SHA1 | f9582841d43b651002b439fca23e6ecd5fabf7f2 |
| SHA256 | 33f5b03c80a823e0e519c9e2a35b9fd4e96d3c727fb4a08558cbdf75fbca7196 |
| SHA512 | 57a418f812244772ccc575a9014302c3d4339a96c329e5ac304ff70b5f04b1115fd40cc29aa84065af798afd9bf214b3facb6d78b1802d1511dc0130c7967700 |
memory/2852-135-0x0000000000990000-0x0000000000C50000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-15 05:14
Reported
2024-05-15 05:17
Platform
win10v2004-20240426-en
Max time kernel
130s
Max time network
99s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Program Files\\Mozilla Firefox\\sihost.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Program Files\\Mozilla Firefox\\sihost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Mozilla Firefox\\sihost.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Mail\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Uninstall Information\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Mail\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\My Documents\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Resources\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\debug\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Mozilla Firefox\\sihost.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Uninstall Information\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\debug\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Resources\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\My Documents\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mozilla Firefox\RCX4EAC.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Uninstall Information\lsass.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\ja-JP\e6c9b481da804f | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\it-IT\e1ef82546f0b02 | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\RCX3E97.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\en-US\RCX4821.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\RCX3790.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\RCX50B0.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\Idle.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX4A26.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\29c1c3cc0f7685 | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\sihost.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\110.0.5481.104\6ccacd8608530f | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Multimedia Platform\RCX4C2A.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows Mail\Idle.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\lsass.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\RCX409C.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\ja-JP\RCX459F.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows Mail\6ccacd8608530f | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382 | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\66fc9ff0ee96c2 | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\RCX358B.tmp | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\sihost.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Uninstall Information\6203df4a6bafc7 | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\aa97147c4c782d | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\My Documents\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yrrQ2TPTZL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe
"C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 88.221.83.219:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| RU | 94.250.255.250:80 | 94.250.255.250 | tcp |
| RU | 94.250.255.250:443 | tcp | |
| RU | 94.250.255.250:443 | tcp | |
| US | 8.8.8.8:53 | 250.255.250.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2408-0-0x00007FF91B6D3000-0x00007FF91B6D5000-memory.dmp
memory/2408-1-0x0000000000DF0000-0x00000000010B0000-memory.dmp
memory/2408-2-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp
memory/2408-4-0x00000000032A0000-0x00000000032BC000-memory.dmp
memory/2408-3-0x0000000003180000-0x0000000003188000-memory.dmp
memory/2408-5-0x000000001C390000-0x000000001C3E0000-memory.dmp
memory/2408-6-0x00000000032C0000-0x00000000032C8000-memory.dmp
memory/2408-9-0x000000001BD20000-0x000000001BD28000-memory.dmp
memory/2408-7-0x000000001BCF0000-0x000000001BD00000-memory.dmp
memory/2408-11-0x000000001C350000-0x000000001C360000-memory.dmp
memory/2408-10-0x000000001C340000-0x000000001C348000-memory.dmp
memory/2408-8-0x000000001BD00000-0x000000001BD16000-memory.dmp
memory/2408-12-0x000000001C360000-0x000000001C36A000-memory.dmp
memory/2408-13-0x000000001C3E0000-0x000000001C436000-memory.dmp
memory/2408-18-0x000000001C450000-0x000000001C45C000-memory.dmp
memory/2408-17-0x000000001C440000-0x000000001C448000-memory.dmp
memory/2408-16-0x000000001C430000-0x000000001C43C000-memory.dmp
memory/2408-15-0x000000001C380000-0x000000001C388000-memory.dmp
memory/2408-19-0x000000001C460000-0x000000001C46C000-memory.dmp
memory/2408-14-0x000000001C370000-0x000000001C378000-memory.dmp
memory/2408-20-0x000000001C570000-0x000000001C578000-memory.dmp
memory/2408-24-0x000000001C6B0000-0x000000001C6B8000-memory.dmp
memory/2408-25-0x000000001C700000-0x000000001C70A000-memory.dmp
memory/2408-23-0x000000001C6A0000-0x000000001C6AC000-memory.dmp
memory/2408-22-0x000000001C590000-0x000000001C59C000-memory.dmp
memory/2408-26-0x000000001C710000-0x000000001C71C000-memory.dmp
memory/2408-27-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp
memory/2408-21-0x000000001C580000-0x000000001C588000-memory.dmp
memory/2408-30-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp
C:\Program Files\Uninstall Information\lsass.exe
| MD5 | 86ef16b6eb613bff73f73a75b7236310 |
| SHA1 | 3de6bea5685131148fb7ef9b07c6dcce2d643929 |
| SHA256 | ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9 |
| SHA512 | 9fd4a0bcbe5a454ea660d4ca6d7524161c2fe817be60e26d511e3f04093e1c6e0b10a11ba25ee3d709b766b63f9c5344d84ef448f5dc44884506a07b862c8e94 |
C:\Windows\debug\RuntimeBroker.exe
| MD5 | 2df515d11745c82c609702cc146c38b0 |
| SHA1 | b30976043bb09cdf7fa7f097358704babd68afae |
| SHA256 | 5528a5b6f8b86239dcf8a5e66f7e5ef2c8aa0eeb8321f670a603f1c0ad606b15 |
| SHA512 | b7c46c57f327cf3c05387843c5c4f48d06b3de1ab188dae2624935a81730bbd049a5be3b14917dd7a3919726c5a06fdbd102c716227549b7290f92567bde24cd |
C:\Program Files\Windows Security\BrowserCore\en-US\RCX4821.tmp
| MD5 | 395cdc96dbd8bec939c886d1052a2b4d |
| SHA1 | ce9bbc64046293cdce0a51bdeac4144caba1c6cf |
| SHA256 | 726e46088cb7390f9893f907bb1acfd430edd61dbe95e7aaad8b4a0bf791388b |
| SHA512 | 0bd939b43830c9022347390bb753b8211211b8b285554cc54c3b233c268561883d16c2682739156e9a962ef30e51fc884206d5304229a73435acabb1f5083f7e |
C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe
| MD5 | ebe817f87b24a99851c6f46a7894be98 |
| SHA1 | 59dc201ee89301aeb73b7c79371797eb72dd7b73 |
| SHA256 | b2357320db336178a732f49634f6a18737ea80457556c2bad4342878babaa988 |
| SHA512 | 3b3d44c157d78bb545ff6365c4ce8ea7c32ff131aeffa7fb15089a8244cad4b343844f982ed2ba72ec51edf67309d5193f6c9768f9b39379edfb64521ac332ca |
memory/2408-174-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1vttkiig.fly.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4920-175-0x00000209B1FE0000-0x00000209B2002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yrrQ2TPTZL.bat
| MD5 | bd7af1b95ec039343adeda82c320079b |
| SHA1 | 1c4a092a0e5eb8f780671db9cece3411678ce4fe |
| SHA256 | 11efaaebc5d7eca2d0062c6eca96458b142a1e00bc82198b8a564d90f7f22aeb |
| SHA512 | 911b6e615edb60569b95237d8ec16064118789a431d23e2b7a58cd0e63952f1479478efbcd3f359c510e0d4b227bdbbe0362062370f0838ffc8cea091dcf9b7e |
C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe
| MD5 | 2b73a6c5cf947899032706265c447e0d |
| SHA1 | c0782f51c7951c4512dab56173b5a83de88bf688 |
| SHA256 | b3bf4f0ab0b416c9981d4598efb5e935380d7ac0a5e925447510011e201d6bb6 |
| SHA512 | 00cf94d6035f30e6b7d683bfb037ad81eac73db50204358b75609d00f3025dd6fd77608452f6ce469570f9a7de30b7bec8d87ff1c5ddc16c8c25c04fab2428ff |
memory/4848-191-0x00000000003D0000-0x0000000000690000-memory.dmp
memory/4848-192-0x000000001B390000-0x000000001B3E6000-memory.dmp