Malware Analysis Report

2024-11-15 05:49

Sample ID 240515-gmgcpacc79
Target 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics
SHA256 5e18fece13e186284ad707df63c1d44b117dbffd5da5b814ebf1a68647679c5b
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e18fece13e186284ad707df63c1d44b117dbffd5da5b814ebf1a68647679c5b

Threat Level: Known bad

The file 9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DCRat payload

Dcrat family

Process spawned unexpected child process

DcRat

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 05:55

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 05:55

Reported

2024-05-15 05:57

Platform

win7-20240221-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Uninstall Information\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows Mail\es-ES\56085415360792 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\56085415360792 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\System.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\smss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\smss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\es-ES\wininit.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\smss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCX2012.tmp C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCX2013.tmp C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\es-ES\RCX1DFE.tmp C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\smss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\System.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\f64ee6197c7d98 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\csrss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Mail\es-ES\56085415360792 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\es-ES\RCX1DFF.tmp C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Mail\es-ES\wininit.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\csrss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\LiveKernelReports\lsm.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\LiveKernelReports\lsm.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Windows\LiveKernelReports\101b941d020240 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Windows\TAPI\winlogon.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Desktop\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCX2228.tmp C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Windows\Globalization\ELS\Transliteration\winlogon.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Windows\TAPI\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Desktop\audiodg.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Globalization\ELS\Transliteration\winlogon.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\TAPI\winlogon.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\56085415360792 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCX2227.tmp C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Windows\Globalization\ELS\Transliteration\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\Desktop\audiodg.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2228 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2228 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2904 wrote to memory of 896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2904 wrote to memory of 896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2904 wrote to memory of 896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2904 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
PID 2904 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
PID 2904 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
PID 2592 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\es-ES\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tu5TicqWzM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\features\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics9" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics9" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\audiodg.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dg5wW3gSHs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe

"C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c7cb01b-2071-4d30-86ff-17439033d1c1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2460d63e-a740-4e79-b4db-541d6591a0ff.vbs"

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3530065-e337-4777-89e6-4c13551d3d07.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84ec94ea-41d5-4ddb-b233-7f0711149a3b.vbs"

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e8121eb-8e55-462c-9929-a28e9cf670a5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae69d8f3-4922-42f5-91e7-60d4085d5ab6.vbs"

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c231ab6-0b6b-4d56-8376-a9f7a265d795.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2edaa45-9ab1-43a7-8338-c6cb7689de82.vbs"

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89e8f0f4-0d59-43f0-98dc-995bc47affef.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47a18edb-86c4-4147-a905-28b0887cb81c.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp

Files

memory/2228-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

memory/2228-1-0x0000000000930000-0x0000000000C6C000-memory.dmp

memory/2228-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/2228-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/2228-4-0x0000000000460000-0x000000000046E000-memory.dmp

memory/2228-5-0x0000000000920000-0x0000000000928000-memory.dmp

memory/2228-6-0x00000000022F0000-0x000000000230C000-memory.dmp

memory/2228-7-0x0000000002310000-0x0000000002318000-memory.dmp

memory/2228-8-0x0000000002320000-0x0000000002330000-memory.dmp

memory/2228-9-0x0000000002330000-0x0000000002346000-memory.dmp

memory/2228-10-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/2228-11-0x00000000023E0000-0x00000000023F0000-memory.dmp

memory/2228-12-0x00000000023F0000-0x00000000023FA000-memory.dmp

memory/2228-13-0x000000001A8C0000-0x000000001A916000-memory.dmp

memory/2228-14-0x0000000002400000-0x000000000240C000-memory.dmp

memory/2228-15-0x0000000002410000-0x0000000002418000-memory.dmp

memory/2228-16-0x0000000002420000-0x000000000242C000-memory.dmp

memory/2228-17-0x0000000002430000-0x0000000002438000-memory.dmp

memory/2228-18-0x000000001A910000-0x000000001A922000-memory.dmp

memory/2228-19-0x000000001A940000-0x000000001A94C000-memory.dmp

memory/2228-20-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

memory/2228-21-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

memory/2228-22-0x000000001A9F0000-0x000000001A9FC000-memory.dmp

memory/2228-25-0x000000001AA20000-0x000000001AA2E000-memory.dmp

memory/2228-24-0x000000001AA10000-0x000000001AA1A000-memory.dmp

memory/2228-23-0x000000001AA00000-0x000000001AA08000-memory.dmp

memory/2228-28-0x000000001AA50000-0x000000001AA5C000-memory.dmp

memory/2228-27-0x000000001AA40000-0x000000001AA4E000-memory.dmp

memory/2228-26-0x000000001AA30000-0x000000001AA38000-memory.dmp

memory/2228-29-0x000000001AA60000-0x000000001AA68000-memory.dmp

memory/2228-30-0x000000001AA70000-0x000000001AA7A000-memory.dmp

memory/2228-31-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/2228-32-0x000000001AB80000-0x000000001AB8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCX1BEB.tmp

MD5 9053e1e0f0dc79857427f7ef64fa3530
SHA1 93298ff5140f6ba9724e31dda271148cd73c7511
SHA256 5e18fece13e186284ad707df63c1d44b117dbffd5da5b814ebf1a68647679c5b
SHA512 9bbcb60546639f4b995a817978c4f3331933fbf7dd409c2b1d06c84aeef1b437cd8e750abdf8dccafb558f5d68fe2f98f42feaeb01ccbee8934147f575cf5657

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 cf771a0383b69e3172be65ee549e8078
SHA1 88de047f37ae566c61319a3a662b07483c9ebe6b
SHA256 788ff5217822feb73affdf2b8879b32b9c751a5c9b530c2a604e055f3c867f9f
SHA512 40eada9e6a3872b4f48b92ff6dcf2078bb2b859f377870a5c4de9bf37900158fbff02f28defa8a288f3551aa38b06816e73ac11be31bacf758a1681bdf0f404b

memory/1536-95-0x000000001B600000-0x000000001B8E2000-memory.dmp

memory/1536-96-0x0000000001C90000-0x0000000001C98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tu5TicqWzM.bat

MD5 1c75ad7367c828441792b6de4b6d76a4
SHA1 680df368e002a0a67d2005939769c71782f43609
SHA256 1d329ca402c54c36d8fc43d9f6d227e7f9d9983d67cadcb9c34cb9bc2a5fcc9f
SHA512 2b609129e2d4ac38d10ed985546fab3aaf9bcd97572779c41b44c27dd7cd384ba6cb7773f7f4eacdec8e17b2d1682ee2875ed7bc1ebf521a28811785b6ec4b8d

memory/2228-141-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/2592-149-0x0000000000FF0000-0x000000000132C000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/876-225-0x000000001B670000-0x000000001B952000-memory.dmp

memory/876-226-0x0000000002790000-0x0000000002798000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dg5wW3gSHs.bat

MD5 13814caeb82fb165f4a2cf62c6c178bc
SHA1 ab9f0847dd91e0975ff62e4ea437408702d2ae32
SHA256 48912b51debafbed5ff94fbad22e3e962b447598cc79318eaf019da6a402c87d
SHA512 fd17403df6c3db98608832fcd8b9f81a0d5db2045a67fd280fa7d3851e2cb5c792c99d22984f1f17eb38cc7515d9fcc719cfb791a03da104315d48e8212e58df

memory/2400-278-0x0000000000F10000-0x000000000124C000-memory.dmp

memory/2400-279-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4c7cb01b-2071-4d30-86ff-17439033d1c1.vbs

MD5 9814ae6fe9fe19363eee016caa3139ed
SHA1 800483d4fcb75a17607b645e62b655ac3c928479
SHA256 f1818fe679a941111d395bb8359e57ae610587c5acd15be50d8d7a675ce871aa
SHA512 b0b02779dc1cafea3bf042050442da18b4d8cf7b8497004848094daf884105877cb9b68c9ea187f7321b068f1d850eccba060bcc274f137d6bf27a6f5e4a968c

C:\Users\Admin\AppData\Local\Temp\2460d63e-a740-4e79-b4db-541d6591a0ff.vbs

MD5 e1c11071cdbc31febd05b499adddd293
SHA1 b04f183a67249fa0181897800eac5b0e1c8baba3
SHA256 29bef5bba2d4c71df20fcb3d49dbd3b9945d528343059db7195042997408611e
SHA512 eec39fbda75538fbee950bcaf6e5d30338acbf35818f8ad8932098e26714c57a544abd1084fad1da7455bd02634da2750728a6571b5d74caf8cb5b2c0f768b5c

memory/3040-290-0x0000000000320000-0x000000000065C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f3530065-e337-4777-89e6-4c13551d3d07.vbs

MD5 a45ae3474dc577103be7d6243b01b7c5
SHA1 e41dee895be260dc2ca1a0b5fd3508852ada9c03
SHA256 abdec34aeabc77202f41e40d1a7546c4ca52060398f6aade6101fe2b9e06e8d1
SHA512 89e0a4fe419fd20c6e1a92ddf49d6d1f252d8b5a4b56e81aadfa4dbbcfb1dad685768c691bbf5b6437858ad6a75788ba1b50e19d07cda8e605750783c5c976f2

memory/1136-302-0x00000000000F0000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e8121eb-8e55-462c-9929-a28e9cf670a5.vbs

MD5 cc878f82682b7c44cfc915a278aaf2d1
SHA1 1dd3d1ead42ee5120a1c2e0b46ea9126300bb8f5
SHA256 49775b2883dd9ef5732d159e35a837990ec7600d7b00fdb492a634f94af58dcd
SHA512 75624021e5f17694170a8299f0aa2516ec12fe007968cd555ddc17d2534dfcbe35a0e4e275c8e85ab1c542e7f784bb437d485f907bc87c8e3dad7ed5a34cd0e2

memory/1592-314-0x00000000013B0000-0x00000000016EC000-memory.dmp

memory/1592-315-0x0000000000AD0000-0x0000000000B26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3c231ab6-0b6b-4d56-8376-a9f7a265d795.vbs

MD5 e1c51305ccd6ee28ec1aca1f63940da2
SHA1 ec915db2b816b299d9879673fae74005adfb4344
SHA256 1af34cf3e5113af9aa75d212742c292762f02c12c961eddc25d456e327ce508a
SHA512 23439d99604c1349cf95219e9b51a860466f7bd867117fd8f71340189123322fa0fafe56a67a4452dc2d590e05fc51ad1b3b05df4a732cdb528f5d6bfce3a7fe

C:\Users\Admin\AppData\Local\Temp\89e8f0f4-0d59-43f0-98dc-995bc47affef.vbs

MD5 bae2fdebb3fade0d41f05df1339d6934
SHA1 a645dce2874efcb56483e6bad76c82123455f719
SHA256 f99d0f8f7e693578b46c1bc137557eed44849807097aa64eea89cfe24e21d677
SHA512 03235aaea4b8ef7ec6a30b8e6b417e8aeb258e949b4b5992c7291d0563a4f3e33a7f0ddb36c44486e5a830121e2d729a38022a96787f398c0e5c87d1cb8de76d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 05:55

Reported

2024-05-15 05:57

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\RCX5B32.tmp C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\RCX5B33.tmp C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Sun\Java\Deployment\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Sun\Java\Deployment\RCX5F5C.tmp C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Sun\Java\Deployment\RCX5FDA.tmp C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Sun\Java\Deployment\csrss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
File created C:\Windows\Sun\Java\Deployment\csrss.exe C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
N/A N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
N/A N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
N/A N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
N/A N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
N/A N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
N/A N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
N/A N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
N/A N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
N/A N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1376 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 5084 wrote to memory of 3900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5084 wrote to memory of 3900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5084 wrote to memory of 3540 N/A C:\Windows\System32\cmd.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 5084 wrote to memory of 3540 N/A C:\Windows\System32\cmd.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 3540 wrote to memory of 1988 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 3540 wrote to memory of 1988 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 3540 wrote to memory of 4780 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 3540 wrote to memory of 4780 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 1988 wrote to memory of 4460 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 1988 wrote to memory of 4460 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 4460 wrote to memory of 4356 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 4460 wrote to memory of 4356 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 4460 wrote to memory of 1052 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 4460 wrote to memory of 1052 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 4356 wrote to memory of 2424 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 4356 wrote to memory of 2424 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 2424 wrote to memory of 3740 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 3740 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 2448 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 2448 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 3740 wrote to memory of 5068 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 3740 wrote to memory of 5068 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 5068 wrote to memory of 4628 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 5068 wrote to memory of 4628 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 5068 wrote to memory of 752 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 5068 wrote to memory of 752 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 4628 wrote to memory of 424 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 4628 wrote to memory of 424 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 424 wrote to memory of 4472 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 424 wrote to memory of 4472 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 424 wrote to memory of 4000 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 424 wrote to memory of 4000 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 4472 wrote to memory of 1476 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 4472 wrote to memory of 1476 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 1476 wrote to memory of 3040 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 1476 wrote to memory of 3040 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 1476 wrote to memory of 4464 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 1476 wrote to memory of 4464 N/A C:\Program Files\WindowsPowerShell\Modules\dwm.exe C:\Windows\System32\WScript.exe
PID 3040 wrote to memory of 1724 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe
PID 3040 wrote to memory of 1724 N/A C:\Windows\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\dwm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\WindowsPowerShell\Modules\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m147yiIR6h.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\WindowsPowerShell\Modules\dwm.exe

"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7fd8752-89d6-4448-8864-7c6d7045c7d5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9877992c-a2b3-444f-aedb-cb4a50dd59bb.vbs"

C:\Program Files\WindowsPowerShell\Modules\dwm.exe

"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\592e7e33-f2df-47c9-9801-ccf9282b1397.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f88d8242-e00c-4d97-9157-1bf4d49c4e05.vbs"

C:\Program Files\WindowsPowerShell\Modules\dwm.exe

"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\937f4753-aa2a-4fc2-9a58-fd4eb9f790e6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\564346af-8872-4f9a-9087-4bb03a14c8c5.vbs"

C:\Program Files\WindowsPowerShell\Modules\dwm.exe

"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1206b3d4-8717-4578-8f5b-aa3423e1cac0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abe0f827-f4aa-4aa5-9115-dff9fc0f0c92.vbs"

C:\Program Files\WindowsPowerShell\Modules\dwm.exe

"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7197520a-4f41-40b3-b808-c13c64840f09.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4010bdd-1af1-46ab-b6db-933d54956e73.vbs"

C:\Program Files\WindowsPowerShell\Modules\dwm.exe

"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\729a664b-a9de-488d-9df4-6937727967b5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d8b9cc-326d-47e3-83a2-c2a0235b53c6.vbs"

C:\Program Files\WindowsPowerShell\Modules\dwm.exe

"C:\Program Files\WindowsPowerShell\Modules\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70378bee-d86b-4fd6-a505-27d597c32a17.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e40eb784-9f3f-4fd9-992c-a2a05b4f8bd0.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1376-0-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

memory/1376-1-0x0000000000DA0000-0x00000000010DC000-memory.dmp

memory/1376-2-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/1376-3-0x0000000001A00000-0x0000000001A0E000-memory.dmp

memory/1376-4-0x0000000001A10000-0x0000000001A1E000-memory.dmp

memory/1376-5-0x0000000003210000-0x0000000003218000-memory.dmp

memory/1376-6-0x0000000003220000-0x000000000323C000-memory.dmp

memory/1376-7-0x000000001BDA0000-0x000000001BDF0000-memory.dmp

memory/1376-9-0x000000001BD30000-0x000000001BD40000-memory.dmp

memory/1376-8-0x000000001BD20000-0x000000001BD28000-memory.dmp

memory/1376-11-0x000000001BD60000-0x000000001BD68000-memory.dmp

memory/1376-10-0x000000001BD40000-0x000000001BD56000-memory.dmp

memory/1376-12-0x000000001BD70000-0x000000001BD80000-memory.dmp

memory/1376-13-0x000000001BD80000-0x000000001BD8A000-memory.dmp

memory/1376-14-0x000000001C410000-0x000000001C466000-memory.dmp

memory/1376-15-0x000000001BDF0000-0x000000001BDFC000-memory.dmp

memory/1376-16-0x000000001C460000-0x000000001C468000-memory.dmp

memory/1376-17-0x000000001C570000-0x000000001C57C000-memory.dmp

memory/1376-18-0x000000001C470000-0x000000001C478000-memory.dmp

memory/1376-19-0x000000001C480000-0x000000001C492000-memory.dmp

memory/1376-20-0x000000001CAB0000-0x000000001CFD8000-memory.dmp

memory/1376-21-0x000000001C4B0000-0x000000001C4BC000-memory.dmp

memory/1376-22-0x000000001C4C0000-0x000000001C4CC000-memory.dmp

memory/1376-23-0x000000001C4D0000-0x000000001C4DC000-memory.dmp

memory/1376-24-0x000000001C4E0000-0x000000001C4EC000-memory.dmp

memory/1376-25-0x000000001C560000-0x000000001C568000-memory.dmp

memory/1376-30-0x000000001C520000-0x000000001C52C000-memory.dmp

memory/1376-33-0x000000001C550000-0x000000001C55C000-memory.dmp

memory/1376-31-0x000000001C530000-0x000000001C538000-memory.dmp

memory/1376-29-0x000000001C780000-0x000000001C78E000-memory.dmp

memory/1376-28-0x000000001C510000-0x000000001C518000-memory.dmp

memory/1376-27-0x000000001C500000-0x000000001C50E000-memory.dmp

memory/1376-26-0x000000001C4F0000-0x000000001C4FA000-memory.dmp

memory/1376-32-0x000000001C540000-0x000000001C54A000-memory.dmp

memory/1376-36-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/1376-37-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/1376-38-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

C:\Users\Public\backgroundTaskHost.exe

MD5 9053e1e0f0dc79857427f7ef64fa3530
SHA1 93298ff5140f6ba9724e31dda271148cd73c7511
SHA256 5e18fece13e186284ad707df63c1d44b117dbffd5da5b814ebf1a68647679c5b
SHA512 9bbcb60546639f4b995a817978c4f3331933fbf7dd409c2b1d06c84aeef1b437cd8e750abdf8dccafb558f5d68fe2f98f42feaeb01ccbee8934147f575cf5657

C:\Windows\Sun\Java\Deployment\csrss.exe

MD5 5db8c33266adeb678c51b9d076bb7b94
SHA1 3f5aeb36a3332ee9921f2c08802433f4144e9ac7
SHA256 5930f06bbd50ed3c90c39d186758521d062ce5f45bde52c31f62b62c88e26cf7
SHA512 1194e23793a8faf0acab2af83c73599ffb992af9942e7655f10543fa2ca1526e604e9910fa0db7922670a8dd75f7c658fd1fdb9128c426d1219377bfd23cb767

C:\Users\Public\backgroundTaskHost.exe

MD5 a51a454388eeb9a95270a31ad6546ab7
SHA1 38d98cc56621361c308be94b0eb0cc57126cca40
SHA256 1da7b4de76527f3399f153cef1a74196f60cfc5f79314d7b66f0af2e4f0ee721
SHA512 4fb2c8b697b59c371054f1c1065e306c07ef3d2fecb7c20bf8ee6184fe6d99da29199722964c22f1711c2fa9b28dae08aed498883d4046cbcd28c41e924b493f

memory/1468-125-0x0000027D72870000-0x0000027D72892000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvsd2rlu.rkm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1376-126-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\m147yiIR6h.bat

MD5 09b8411ba466040f0a065eb6d98e0be0
SHA1 c98300c16d20b5ee0f7d7290d004ebf61f65177b
SHA256 5738b4823fef6d05561068072a1bad26b9dc3f5570b086fbcbc0920f171f3756
SHA512 1af230a4adcde6102bf0a79a000f6a2f3d126fe9b836d33286a560e9678669fd242a4c2c5d48cdf262a0dc420ae22f7a3657b908ad3960f2cac03a127cb3498b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Temp\c7fd8752-89d6-4448-8864-7c6d7045c7d5.vbs

MD5 d1fa70fc4202823d3726f8cba1f44117
SHA1 0ecc67a972a17bac55268bcf810729dee9ac9213
SHA256 e4e1fb86706ee252a2d5e722abf03962b32b306e47cb450532ad62a471cff5c8
SHA512 4e8d3f977216e34d5c4c53ce577a04c97ef02b38bd420488051b483e32f6265f9da3023d6b678891b4aedaa308734054baeee1d51070cefb5db6ec1c2366e9c0

C:\Users\Admin\AppData\Local\Temp\9877992c-a2b3-444f-aedb-cb4a50dd59bb.vbs

MD5 51e4701212e749bc1229319ca50148c2
SHA1 356b560a2dae989354759234404681a23cfdc299
SHA256 e49de2ba26f710d97ecbd343ea775f90e981ef7d1ef1e7016a04608d85c6b839
SHA512 d8387fcd4e037993a6c9a05a5bedaa4d97cd710928efb86f6bcaeed1aeee639d7daae67d43e52a4a4c72ebaf5bc6ed9ce350d00b127ffc1de19114714dcb3c9f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Users\Admin\AppData\Local\Temp\592e7e33-f2df-47c9-9801-ccf9282b1397.vbs

MD5 71ec42d4b4aec18cc266246c8e0caccf
SHA1 535ebca33fc025dd9bdf013a91b29b1358fc43f0
SHA256 614264d8c644795cd12d8ee13eddf1a7e8fd87a515f0f7978e1ace39576656ba
SHA512 507e0b3306e095d5e61ee75d493589c93ed7c0bbb8f0ac22b38db407e56c7cb4691fe3a059fe8707c82e0f9f2725522053297c76d5b731d840676d1479acc051

C:\Users\Admin\AppData\Local\Temp\937f4753-aa2a-4fc2-9a58-fd4eb9f790e6.vbs

MD5 13f41cb4280c82e227fedbf01153696d
SHA1 fec6995c10ef46f4202614aebfca26ce5be99653
SHA256 c9b39b009158cde362c26218bbc67c6646c23773d79b5c859986de1bcd122017
SHA512 99dc4d7a7e99386ee5fe3691c4e4782b8a467b2dfbed8a352b029f18d3fce5629ecc1bc70fbe017571060753f2baef1384d8f8d7f4586986fb927579095550ab

C:\Users\Admin\AppData\Local\Temp\1206b3d4-8717-4578-8f5b-aa3423e1cac0.vbs

MD5 1ce417bf070fa03c3ad94720dac8c1a0
SHA1 812f9f9b4f267d23b5bb8f6cdf9f5c302469e4f3
SHA256 32e9036a6d24c90b022a6d2ff3b45df50fda070ade4b3cf08392791ee85bfdd6
SHA512 0b9894570e7c5fc09714a47ee8ffe003bf2ed4612ca3470b87f65812204d8b440449a3d0f38227319be2fa21f5993ff2e12858f25704fb80b541cfe5bad118f2

C:\Users\Admin\AppData\Local\Temp\7197520a-4f41-40b3-b808-c13c64840f09.vbs

MD5 a24992b745863be63aafc63cbaa92a0a
SHA1 1575579fff8c470d16d5746400f82dcfcac06dee
SHA256 ca5c468a6a1568be2d4060b2dec99f0e654a7bf7367c262795e8ca903e824498
SHA512 9719daa1522e51e4a4f5ea8a6f9c77b47328ee2c4dd7e2b279f398b9a1c479f584c3e544227ad4960be2d5e89b6c292afba328c8133b8dff154853073f1f09c1

C:\Users\Admin\AppData\Local\Temp\729a664b-a9de-488d-9df4-6937727967b5.vbs

MD5 dfd00aa7b7f5367e5389241a76569963
SHA1 4489baf1c07fef754282d994690e1be9fe07969e
SHA256 221149faba8aca81146d2ef336890957eab99d47fb3caf20276d2e575a3a0c92
SHA512 9b00c7d6c7e4d61448d07c009132f838c121c08207da913b4bd8ae526575658aed424fb65723eaf6981104bfd2742b253dca46650d8766bf8f06f8b48632b315

C:\Users\Admin\AppData\Local\Temp\70378bee-d86b-4fd6-a505-27d597c32a17.vbs

MD5 8609acdee9a2eb5672d54fcef62d59a6
SHA1 9474a1aab3eca1e161ee4282b364f0642f1624f1
SHA256 6d7b32dd1798cda3ea22141d2cc3f852315b06ed63dad26187ebf463eafc9921
SHA512 8ddbb38efcdf8ac5bbeb11aba91c52b65a0aceaf8acd8c138b5c614a23a594ae0f07ca2c804d8824b03b2b6d3a2d0b0888f0532bffe5f45a31ff0e193032fbab