Malware Analysis Report

2024-11-15 05:49

Sample ID 240515-fxb1aaag8x
Target 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics
SHA256 ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9
Tags
rat dcrat evasion execution infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9

Threat Level: Known bad

The file 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer persistence trojan

Process spawned unexpected child process

UAC bypass

DcRat

DCRat payload

Dcrat family

Modifies WinLogon for persistence

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies system certificate store

System policy modification

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 05:14

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 05:14

Reported

2024-05-15 05:17

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\wininit.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Local Settings\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Local Settings\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Sidebar\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Sidebar\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\wininit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\winlogon.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\RCX142F.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\RCX18A4.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\56085415360792 C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\winlogon.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Default User\wininit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Default User\wininit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A
N/A N/A C:\Users\Default User\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
PID 2956 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
PID 2956 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
PID 536 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 536 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 536 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2776 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2776 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2776 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2776 wrote to memory of 2852 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\wininit.exe
PID 2776 wrote to memory of 2852 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\wininit.exe
PID 2776 wrote to memory of 2852 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\wininit.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IFf9IaIrAX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\wininit.exe

"C:\Users\Default User\wininit.exe"

Network

Country Destination Domain Proto
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp

Files

memory/2956-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

memory/2956-1-0x0000000000BE0000-0x0000000000EA0000-memory.dmp

memory/2956-2-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

memory/2956-3-0x0000000000150000-0x0000000000158000-memory.dmp

memory/2956-4-0x00000000004F0000-0x000000000050C000-memory.dmp

memory/2956-5-0x0000000000160000-0x0000000000168000-memory.dmp

memory/2956-6-0x0000000000510000-0x0000000000520000-memory.dmp

memory/2956-7-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2956-8-0x0000000000550000-0x0000000000558000-memory.dmp

memory/2956-9-0x0000000000A80000-0x0000000000A88000-memory.dmp

memory/2956-10-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/2956-11-0x0000000000A90000-0x0000000000A9A000-memory.dmp

memory/2956-12-0x000000001A990000-0x000000001A9E6000-memory.dmp

memory/2956-13-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

memory/2956-14-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

memory/2956-15-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

memory/2956-16-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

memory/2956-17-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

memory/2956-18-0x000000001A9F0000-0x000000001A9FC000-memory.dmp

memory/2956-19-0x000000001AA00000-0x000000001AA08000-memory.dmp

memory/2956-20-0x000000001AB20000-0x000000001AB28000-memory.dmp

memory/2956-21-0x000000001AB10000-0x000000001AB1C000-memory.dmp

memory/2956-22-0x000000001AB30000-0x000000001AB3C000-memory.dmp

memory/2956-25-0x000000001AF30000-0x000000001AF3C000-memory.dmp

memory/2956-24-0x000000001AF20000-0x000000001AF2A000-memory.dmp

memory/2956-23-0x000000001AB40000-0x000000001AB48000-memory.dmp

memory/2956-26-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

C:\Program Files (x86)\Windows Defender\winlogon.exe

MD5 86ef16b6eb613bff73f73a75b7236310
SHA1 3de6bea5685131148fb7ef9b07c6dcce2d643929
SHA256 ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9
SHA512 9fd4a0bcbe5a454ea660d4ca6d7524161c2fe817be60e26d511e3f04093e1c6e0b10a11ba25ee3d709b766b63f9c5344d84ef448f5dc44884506a07b862c8e94

memory/2956-82-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

memory/1124-87-0x000000001B760000-0x000000001BA42000-memory.dmp

memory/1124-88-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b192355378d7bcfaa642fc8da264ec49
SHA1 aab9c22bbb0bc31b0d8ac7dfe4d04a2623cedbd7
SHA256 e0d1936b40c311ba873830ef700d6f9be68a0a161c06e4954921728f8c3bd1b6
SHA512 9fbd0af75c9cbb173d4569f8355e9db0b4dbc1bd85eca0a03aee18a30ab16fdceb4077fdbca88a9712429e1d36dada162021885185d2cce93c8adeb3e986e833

memory/2472-130-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/2472-131-0x0000000002000000-0x0000000002008000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IFf9IaIrAX.bat

MD5 c6a6df61dc5119b1e88ca3a29123bbe0
SHA1 f9582841d43b651002b439fca23e6ecd5fabf7f2
SHA256 33f5b03c80a823e0e519c9e2a35b9fd4e96d3c727fb4a08558cbdf75fbca7196
SHA512 57a418f812244772ccc575a9014302c3d4339a96c329e5ac304ff70b5f04b1115fd40cc29aa84065af798afd9bf214b3facb6d78b1802d1511dc0130c7967700

memory/2852-135-0x0000000000990000-0x0000000000C50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 05:14

Reported

2024-05-15 05:17

Platform

win10v2004-20240426-en

Max time kernel

130s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Program Files\\Mozilla Firefox\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Program Files\\Mozilla Firefox\\sihost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files\\Windows Mail\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Windows\\Resources\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Mozilla Firefox\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Mail\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Uninstall Information\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Mail\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\My Documents\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Resources\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\debug\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Mozilla Firefox\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Uninstall Information\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\debug\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Resources\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\My Documents\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Documents\\My Pictures\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\RCX4EAC.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\lsass.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RCX3E97.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCX4821.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCX3790.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\RCX50B0.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\Idle.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX4A26.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\sihost.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX4C2A.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\Idle.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\lsass.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\RCX409C.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\RCX459F.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\RCX358B.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\sihost.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\aa97147c4c782d C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\debug\RCX431E.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\debug\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Windows\Resources\services.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Windows\Resources\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Windows\debug\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File created C:\Windows\debug\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Resources\RCX3A11.tmp C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Resources\services.exe C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Pictures\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\My Documents\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yrrQ2TPTZL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe

"C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp
US 8.8.8.8:53 250.255.250.94.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2408-0-0x00007FF91B6D3000-0x00007FF91B6D5000-memory.dmp

memory/2408-1-0x0000000000DF0000-0x00000000010B0000-memory.dmp

memory/2408-2-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp

memory/2408-4-0x00000000032A0000-0x00000000032BC000-memory.dmp

memory/2408-3-0x0000000003180000-0x0000000003188000-memory.dmp

memory/2408-5-0x000000001C390000-0x000000001C3E0000-memory.dmp

memory/2408-6-0x00000000032C0000-0x00000000032C8000-memory.dmp

memory/2408-9-0x000000001BD20000-0x000000001BD28000-memory.dmp

memory/2408-7-0x000000001BCF0000-0x000000001BD00000-memory.dmp

memory/2408-11-0x000000001C350000-0x000000001C360000-memory.dmp

memory/2408-10-0x000000001C340000-0x000000001C348000-memory.dmp

memory/2408-8-0x000000001BD00000-0x000000001BD16000-memory.dmp

memory/2408-12-0x000000001C360000-0x000000001C36A000-memory.dmp

memory/2408-13-0x000000001C3E0000-0x000000001C436000-memory.dmp

memory/2408-18-0x000000001C450000-0x000000001C45C000-memory.dmp

memory/2408-17-0x000000001C440000-0x000000001C448000-memory.dmp

memory/2408-16-0x000000001C430000-0x000000001C43C000-memory.dmp

memory/2408-15-0x000000001C380000-0x000000001C388000-memory.dmp

memory/2408-19-0x000000001C460000-0x000000001C46C000-memory.dmp

memory/2408-14-0x000000001C370000-0x000000001C378000-memory.dmp

memory/2408-20-0x000000001C570000-0x000000001C578000-memory.dmp

memory/2408-24-0x000000001C6B0000-0x000000001C6B8000-memory.dmp

memory/2408-25-0x000000001C700000-0x000000001C70A000-memory.dmp

memory/2408-23-0x000000001C6A0000-0x000000001C6AC000-memory.dmp

memory/2408-22-0x000000001C590000-0x000000001C59C000-memory.dmp

memory/2408-26-0x000000001C710000-0x000000001C71C000-memory.dmp

memory/2408-27-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp

memory/2408-21-0x000000001C580000-0x000000001C588000-memory.dmp

memory/2408-30-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp

C:\Program Files\Uninstall Information\lsass.exe

MD5 86ef16b6eb613bff73f73a75b7236310
SHA1 3de6bea5685131148fb7ef9b07c6dcce2d643929
SHA256 ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9
SHA512 9fd4a0bcbe5a454ea660d4ca6d7524161c2fe817be60e26d511e3f04093e1c6e0b10a11ba25ee3d709b766b63f9c5344d84ef448f5dc44884506a07b862c8e94

C:\Windows\debug\RuntimeBroker.exe

MD5 2df515d11745c82c609702cc146c38b0
SHA1 b30976043bb09cdf7fa7f097358704babd68afae
SHA256 5528a5b6f8b86239dcf8a5e66f7e5ef2c8aa0eeb8321f670a603f1c0ad606b15
SHA512 b7c46c57f327cf3c05387843c5c4f48d06b3de1ab188dae2624935a81730bbd049a5be3b14917dd7a3919726c5a06fdbd102c716227549b7290f92567bde24cd

C:\Program Files\Windows Security\BrowserCore\en-US\RCX4821.tmp

MD5 395cdc96dbd8bec939c886d1052a2b4d
SHA1 ce9bbc64046293cdce0a51bdeac4144caba1c6cf
SHA256 726e46088cb7390f9893f907bb1acfd430edd61dbe95e7aaad8b4a0bf791388b
SHA512 0bd939b43830c9022347390bb753b8211211b8b285554cc54c3b233c268561883d16c2682739156e9a962ef30e51fc884206d5304229a73435acabb1f5083f7e

C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe

MD5 ebe817f87b24a99851c6f46a7894be98
SHA1 59dc201ee89301aeb73b7c79371797eb72dd7b73
SHA256 b2357320db336178a732f49634f6a18737ea80457556c2bad4342878babaa988
SHA512 3b3d44c157d78bb545ff6365c4ce8ea7c32ff131aeffa7fb15089a8244cad4b343844f982ed2ba72ec51edf67309d5193f6c9768f9b39379edfb64521ac332ca

memory/2408-174-0x00007FF91B6D0000-0x00007FF91C191000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1vttkiig.fly.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4920-175-0x00000209B1FE0000-0x00000209B2002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yrrQ2TPTZL.bat

MD5 bd7af1b95ec039343adeda82c320079b
SHA1 1c4a092a0e5eb8f780671db9cece3411678ce4fe
SHA256 11efaaebc5d7eca2d0062c6eca96458b142a1e00bc82198b8a564d90f7f22aeb
SHA512 911b6e615edb60569b95237d8ec16064118789a431d23e2b7a58cd0e63952f1479478efbcd3f359c510e0d4b227bdbbe0362062370f0838ffc8cea091dcf9b7e

C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe

MD5 2b73a6c5cf947899032706265c447e0d
SHA1 c0782f51c7951c4512dab56173b5a83de88bf688
SHA256 b3bf4f0ab0b416c9981d4598efb5e935380d7ac0a5e925447510011e201d6bb6
SHA512 00cf94d6035f30e6b7d683bfb037ad81eac73db50204358b75609d00f3025dd6fd77608452f6ce469570f9a7de30b7bec8d87ff1c5ddc16c8c25c04fab2428ff

memory/4848-191-0x00000000003D0000-0x0000000000690000-memory.dmp

memory/4848-192-0x000000001B390000-0x000000001B3E6000-memory.dmp