Malware Analysis Report

2024-11-15 05:49

Sample ID 240515-h6seqseg6v
Target a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics
SHA256 296ff7111b13564c6bffbc590f46a21188c873f95658d756c22425584453b9b6
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

296ff7111b13564c6bffbc590f46a21188c873f95658d756c22425584453b9b6

Threat Level: Known bad

The file a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

Process spawned unexpected child process

UAC bypass

Dcrat family

DcRat

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 07:21

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 07:21

Reported

2024-05-15 07:23

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Crashpad\reports\smss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Journal\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\RCX411C.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\System.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\Lang\188888a73639ae C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\RCX3EAB.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\RCX5243.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Google\Temp\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\System.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Google\Temp\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\csrss.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\RCX3C97.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX431F.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\RCX47C3.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\188888a73639ae C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCX37C5.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\csrss.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RCX4BCB.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Setup\State\System.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Windows\Setup\State\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Setup\State\RCX45B0.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Setup\State\System.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
N/A N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\Crashpad\reports\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2224 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2224 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2520 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2520 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2520 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2520 wrote to memory of 2528 N/A C:\Windows\System32\cmd.exe C:\Windows\Temp\Crashpad\reports\smss.exe
PID 2520 wrote to memory of 2528 N/A C:\Windows\System32\cmd.exe C:\Windows\Temp\Crashpad\reports\smss.exe
PID 2520 wrote to memory of 2528 N/A C:\Windows\System32\cmd.exe C:\Windows\Temp\Crashpad\reports\smss.exe
PID 2528 wrote to memory of 2452 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2528 wrote to memory of 2452 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2528 wrote to memory of 2452 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2528 wrote to memory of 2412 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2528 wrote to memory of 2412 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2528 wrote to memory of 2412 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2452 wrote to memory of 2404 N/A C:\Windows\System32\WScript.exe C:\Windows\Temp\Crashpad\reports\smss.exe
PID 2452 wrote to memory of 2404 N/A C:\Windows\System32\WScript.exe C:\Windows\Temp\Crashpad\reports\smss.exe
PID 2452 wrote to memory of 2404 N/A C:\Windows\System32\WScript.exe C:\Windows\Temp\Crashpad\reports\smss.exe
PID 2404 wrote to memory of 896 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2404 wrote to memory of 896 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2404 wrote to memory of 896 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2404 wrote to memory of 2312 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2404 wrote to memory of 2312 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 2404 wrote to memory of 2312 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe
PID 896 wrote to memory of 1864 N/A C:\Windows\System32\WScript.exe C:\Windows\Temp\Crashpad\reports\smss.exe
PID 896 wrote to memory of 1864 N/A C:\Windows\System32\WScript.exe C:\Windows\Temp\Crashpad\reports\smss.exe
PID 896 wrote to memory of 1864 N/A C:\Windows\System32\WScript.exe C:\Windows\Temp\Crashpad\reports\smss.exe
PID 1864 wrote to memory of 400 N/A C:\Windows\Temp\Crashpad\reports\smss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Temp\Crashpad\reports\smss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\reports\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2076a85de5c50013fd48e423e2c2050_NeikiAnalyticsa" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Setup\State\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MShxucCbpR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Temp\Crashpad\reports\smss.exe

"C:\Windows\Temp\Crashpad\reports\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e91a5fd6-2473-4eca-a721-d82924596864.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6fcfda8-4f11-4d82-901e-45966a26f86f.vbs"

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cfa6f23-718b-4828-abac-e81eb33b7df4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b3add36-0325-42a0-8a49-e1beb1538ef2.vbs"

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a85b11b-ae36-4e0d-8af0-74e7a0b8cdc1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b518053a-3d45-4410-9138-4e497851909a.vbs"

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\159c9b7a-7d9e-4917-b6d8-d0de94a4887b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93df9a78-56f4-4484-aa93-759f1f36b3d3.vbs"

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36cd1339-fb03-417e-88c1-b7ce3e076bd6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f9c7e93-d5d9-4998-917a-f7c6a8739f10.vbs"

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\702fd1a4-a25a-46f9-a8f7-827fdfd963c1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43dca75c-25d5-49dd-ba83-bac404d2dc93.vbs"

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac3eef52-dcb0-47b6-b93b-6b0ce8fef44f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba59e1ee-d98e-476c-9de2-12f8bb6ecf03.vbs"

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d04011-32b2-426d-8a48-641b46039470.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a5ff9da-8dc4-438b-a317-0df0e83432a2.vbs"

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc0bcd1c-c277-46ad-8953-792fa00f1e88.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8211f57-0f21-4891-9104-1a773fad3367.vbs"

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e82c0598-8ac0-497f-bd9c-a40132e4e6d2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\186638af-fe8a-4fdd-b116-b3fa00935120.vbs"

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\Temp\Crashpad\reports\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97ef99bd-616e-49c6-8925-631d1cedea0a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b9f6ce1-b2c4-4ec6-933c-92e52fc2a30f.vbs"

Network

Country Destination Domain Proto
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/2224-0-0x000007FEF5773000-0x000007FEF5774000-memory.dmp

memory/2224-1-0x0000000000380000-0x0000000000666000-memory.dmp

memory/2224-2-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

memory/2224-3-0x0000000000740000-0x000000000075C000-memory.dmp

memory/2224-4-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/2224-5-0x00000000021D0000-0x00000000021E0000-memory.dmp

memory/2224-6-0x00000000021E0000-0x00000000021F6000-memory.dmp

memory/2224-7-0x0000000002280000-0x0000000002288000-memory.dmp

memory/2224-8-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2224-9-0x0000000002430000-0x0000000002440000-memory.dmp

memory/2224-10-0x0000000002440000-0x000000000244A000-memory.dmp

memory/2224-11-0x000000001AAF0000-0x000000001AB46000-memory.dmp

memory/2224-12-0x0000000002450000-0x000000000245C000-memory.dmp

memory/2224-13-0x0000000002460000-0x0000000002468000-memory.dmp

memory/2224-14-0x0000000002470000-0x000000000247C000-memory.dmp

memory/2224-15-0x0000000002480000-0x0000000002492000-memory.dmp

memory/2224-16-0x000000001AB60000-0x000000001AB68000-memory.dmp

memory/2224-17-0x000000001AB70000-0x000000001AB78000-memory.dmp

memory/2224-18-0x000000001AB80000-0x000000001AB8A000-memory.dmp

memory/2224-19-0x000000001AB90000-0x000000001AB9E000-memory.dmp

memory/2224-20-0x000000001ABA0000-0x000000001ABA8000-memory.dmp

memory/2224-21-0x000000001ABB0000-0x000000001ABBE000-memory.dmp

memory/2224-22-0x000000001AF90000-0x000000001AF9C000-memory.dmp

memory/2224-23-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

memory/2224-24-0x000000001AFB0000-0x000000001AFBA000-memory.dmp

memory/2224-25-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

C:\Program Files\Windows Media Player\fr-FR\System.exe

MD5 a2076a85de5c50013fd48e423e2c2050
SHA1 4ef4d4fd4cf21287ccb37baa4fc8a4efa31b6bd6
SHA256 296ff7111b13564c6bffbc590f46a21188c873f95658d756c22425584453b9b6
SHA512 ff45a43830600f097569378af3d957346f2e66bfbf65f5a89ba592c5b90ef0759bf7a587914fb84c3406b6624c2301652ed30440cde9701d18bdf68b46cfa1a3

C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe

MD5 61d0b223317fb3d7dd141ca6c81d59b6
SHA1 45672974018c8d5327ee45ba4377ab9b6b951050
SHA256 b130505bbf92ae14b3ad76af1d78a659c5b1f408b9a67a24a3b747200bde5e55
SHA512 198f744af2f7d9ee2ac308eee524b2e4fc006723357bde10543e3c8379a9e672d5035279605d9453b5ee5982f6ca01d8e99ae4fbedf518a80f9c35cc7d048a87

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\RCX584F.tmp

MD5 a110f4ee8b628db5cdc780304fadfc44
SHA1 01a161f4ba0680c1747f35677e51ac6efeeccc5e
SHA256 59c05faef7f2418969e5c663f0b55b34f79e8079ec16159c3de814caac76a512
SHA512 0ef461ea6b4d4b6df998771e4a3bf64a4523b8efc8fc55604d248355210a05ecfe8eef2a65bfc125fb468b902f36f2ed1a91b3a055ff3ba66ca35a68eeb74990

memory/1796-193-0x0000000001D80000-0x0000000001D88000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 166da7ed7589780562ec96ec9e99ad90
SHA1 0b9799074cb7bf43cbf6a9db5c18f242c4c20381
SHA256 233898991307a12f09ee3c81c6456642b0464cd94be2f8dab35b6d6edf0b1ce1
SHA512 15d9c803d8ea91f277afde654989d84df20c230f61d97974b05cc2a02906d420cf2be88b8c437b315b0eb16fb4c9b39e9d24b2b233bc4d3781b21d8b3aec235f

memory/1796-191-0x000000001B780000-0x000000001BA62000-memory.dmp

memory/2224-208-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MShxucCbpR.bat

MD5 461415bf43e631f91a657904e5c432c8
SHA1 ad718da9108a565f9a6cfc48844f52aedbece4a1
SHA256 bef3d33ce9078f3709972515229a6f7e110b594c673ec19dfa05ea71721e9294
SHA512 0ee0accd239bea0eb94e50236e7b46b169b97d30a544b0afe32772d89d00be064e31ac66977a122651538d054fc99f41e323b25a362b1ea9c6355a67024fdd72

memory/2528-244-0x0000000000830000-0x0000000000B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e91a5fd6-2473-4eca-a721-d82924596864.vbs

MD5 965aed64ec713061e1d2c6c428693a55
SHA1 f6d21cf7a6a4f5168602178b633c0c28df593e5e
SHA256 637fff82e7a95ded14555e8d548253c925115520e795aca8de3455ac0f00786a
SHA512 4b57968675d982ea74bce3a3f7ce43fbfb2a69cff85a7621b5cddf74be2e45c9cbd3d677a854b19e5b4b1183f19e36cc37e3d5ca9132115bc7624dbefd136215

C:\Users\Admin\AppData\Local\Temp\a6fcfda8-4f11-4d82-901e-45966a26f86f.vbs

MD5 734ac567be69f7fdb2fa45f00a1965e6
SHA1 9cd98ac32beef4f8ed29fa91399b02659e5b3f65
SHA256 bc4cb7e86d1e85bbc405ae97b86703998afd1873f2c0e31a49f705cdcb50d7bc
SHA512 6a52eb08759df061010f1709fcd2a4b92a4df10a99682c26a2e3e1e8b6bc41b47d440ed9482e32b7f125904a07238fc64e049b3ef21a462618b6060f000b5e92

memory/2404-255-0x00000000009B0000-0x0000000000C96000-memory.dmp

memory/2404-256-0x0000000002560000-0x00000000025B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3cfa6f23-718b-4828-abac-e81eb33b7df4.vbs

MD5 51adee7793191370be5544da53291f31
SHA1 2a182f9d272fb2311a08000be503b9ac3f7cc4e5
SHA256 233c9d984be0451f27976ee1dd25cecbd91db4c90d90eac38fe7a4b06061705f
SHA512 c2438341c509758d5516cd2a944d90829ca75fff0bfa2adb47bdee973bde3a765889afe45363bf33fecece5448aef6080c71b4e26f83ca1cae8a29d5e5c19d0b

memory/1864-268-0x0000000000BB0000-0x0000000000E96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9a85b11b-ae36-4e0d-8af0-74e7a0b8cdc1.vbs

MD5 a7f22205db3673c28098303b29338059
SHA1 322df7c5aa4f95463bd22990a36bd8527bcd64b5
SHA256 ec62fa6fd8ec5880da281f7235a82bf4ed6fd495114c6f54cb3178f704b36685
SHA512 f52604ccdde57c78eaafa0f01ae64f00f412baf5275379df6b1cf9550a9abb1364818e58a9f7ff8d86637a884635aae94d90e2a03f42c14748df9b54d17cb8a9

C:\Users\Admin\AppData\Local\Temp\cedea5fd2ec7d8edbb7961abc5ad526ecea37333.exe

MD5 f0e9d7dd85333e0d1fe274f674867505
SHA1 78333b627d35c6cb84c6f1d2187523fda85bd78c
SHA256 37a634020e504e5b9f8c66ca1853392d829b3be3378640682710f7b81fc491f1
SHA512 efbb8a5389fb22caacecad15a33afe50f9cce2477d346945734f218bddd46827b96099409c193612f3faf963f380ed4dd28d2aa9ea942bef2821f0e8f405ed72

C:\Users\Admin\AppData\Local\Temp\159c9b7a-7d9e-4917-b6d8-d0de94a4887b.vbs

MD5 5f8cffc181f94542aab1d27fb96c3bde
SHA1 f78a1f7c5cf343e020275b131fcb91e749cf8dba
SHA256 06094dc0795d35bded7024c2cf095b898e7fd375b13313fb881d5720a00ecd59
SHA512 4cd460bf74b7d168a8d84c8ca5bcb52a235d2712cbe6a9b6c156164023153a84e0fef30b7fd1743e206de95dbc73a49a8fe0f76449aee7853a19a2a4dd3d478b

memory/3000-291-0x0000000001100000-0x00000000013E6000-memory.dmp

memory/3000-292-0x0000000000B10000-0x0000000000B22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\36cd1339-fb03-417e-88c1-b7ce3e076bd6.vbs

MD5 64d90f9a8d3a546db27cab0439a393b6
SHA1 c07693b1b760e1439f9ebf9403ce9455a08693f1
SHA256 5d2a5ab6d065e66c33d1822ec5f6fb7f7530bc6c2c493b8313c04024baa481bb
SHA512 696d65c6756b56f941a69a896e2cae5e27cdd4284deafc8a776f66a56d15a75d357acd84f9da6d01ee81cd5d9b257d75e7f2afb18980681a9e664110cf6eac12

C:\Users\Admin\AppData\Local\Temp\702fd1a4-a25a-46f9-a8f7-827fdfd963c1.vbs

MD5 30270276a081b74ac73c597fd2eb6743
SHA1 3dcc62d850acfd770e6ff5ea43e3280952593b57
SHA256 3f17593717c0b234ae3e1d7f51ceaf421bedda8032a0343c17bcbbfb57a1a22a
SHA512 bf0d92b6ab8be3f32099f8985955dd1d6b3b29f64794d5463ab16873c8c194c8780fd4d5a1e7e6240c61054362acef133d2009e1d9ffbf16ec8645eb5385052e

memory/1388-315-0x0000000000770000-0x0000000000782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ac3eef52-dcb0-47b6-b93b-6b0ce8fef44f.vbs

MD5 e59d9a6cb1b018c6d89a9746c41bb117
SHA1 a7ff9d9f7b007129aa7dbddb40f3b7dbcc471f04
SHA256 752abe117be767786870864c31ff24ffc999d38667c0d2b25c6ce83563c7423d
SHA512 f92bd8d1a6347e97cd18be7b0e02cef4340de0e54383481731932e194946026077a1d5e9da7595177cc0a1b5c1dbbd4a3f6e35b57878501045554fd34276f373

memory/1592-327-0x0000000000D60000-0x0000000000DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60d04011-32b2-426d-8a48-641b46039470.vbs

MD5 f16e0b8e9527ce0670c3ed80666179e3
SHA1 a6a819e061b0e164a3c6b742664f097e414f80c3
SHA256 86ea86ac4bc96f798ae4793e2a0e8ee84e0684740f1375223691d4bbec389de2
SHA512 464038cd65dfa456923ee343ca09577857ab7e6d532c098d342c2d5b46388fdfafa26804ddb3abf2dda88f45b69fabf395ffc30bdc03a2f3f402c46010d59a6c

memory/400-339-0x00000000001E0000-0x00000000004C6000-memory.dmp

memory/400-340-0x00000000007E0000-0x00000000007F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc0bcd1c-c277-46ad-8953-792fa00f1e88.vbs

MD5 aee8ab1bc64e514c82c0aab56880961a
SHA1 df6d315af9698bb13d48201c66a8310a227f40b5
SHA256 c79b4a3ae7c15670378ecdb45d1c9bb38d092538c0e42567091cab7f5e8484a9
SHA512 1ddc903b5be0db0eb087ad02d0c8c4d7f3a6cc2ed43592a9b8c5cd1902b337bba2c4b3b70b9e4a2da86be32c9a91951b28dc112b6b1d69b7365dbf018a96e285

memory/2684-352-0x0000000000E90000-0x0000000001176000-memory.dmp

memory/2684-353-0x0000000000E40000-0x0000000000E96000-memory.dmp

memory/2684-354-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e82c0598-8ac0-497f-bd9c-a40132e4e6d2.vbs

MD5 e367cd0d8f85f7f38138c0ae7cc15acb
SHA1 889b33ca4da239ada23a6c54a41a08f400a15a31
SHA256 8be69f1fad662a302cffc84dcf3520949c88bdd6ff4dc5d07bbc1392389cc643
SHA512 5877d0c4c1b1ccdfe6957d95ec7e84215c2ebeef06ac5782b465114ba419c42afbb36e633aef20c55ba773fe462ff02dadc4ab2352a3c1880b72415b4bbc29c0

memory/924-366-0x0000000000F50000-0x0000000001236000-memory.dmp

memory/924-367-0x0000000000500000-0x0000000000556000-memory.dmp

memory/924-368-0x0000000000B20000-0x0000000000B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\97ef99bd-616e-49c6-8925-631d1cedea0a.vbs

MD5 220d1f3d394c91926447bc8d438415cf
SHA1 3d5b5d01cab4452d274739fe3ea54686b6287d40
SHA256 2865316de681772804c8a3e08ba88008d6d00846416a4704da84ec18cd0b797a
SHA512 9116ba5d2be4a194edf6a8ebc007e3543991426e4fd11887a242e28c35376e23bd1424f44151369cc9de0f91ad7176abe8d9b76090912f576053ac154eab9610

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 07:21

Reported

2024-05-15 07:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre8\lib\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Internet Explorer\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Internet Explorer\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre8\lib\RCX50F4.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX5F03.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files\ModifiableWindowsApps\wininit.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\RCX638A.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre8\lib\sihost.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre8\lib\sihost.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX55F7.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Sun\Java\Deployment\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Windows\Resources\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Windows\WinSxS\sysmon.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Sun\Java\Deployment\RCX48D1.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Resources\RCX4CDB.tmp C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Resources\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Windows\Sun\Java\Deployment\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Windows\Sun\Java\Deployment\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
File created C:\Windows\Resources\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 720 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 720 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 720 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1656 wrote to memory of 1508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1656 wrote to memory of 1508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1656 wrote to memory of 3972 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 1656 wrote to memory of 3972 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 3972 wrote to memory of 2728 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3972 wrote to memory of 2728 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3972 wrote to memory of 3684 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3972 wrote to memory of 3684 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2728 wrote to memory of 3228 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 2728 wrote to memory of 3228 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 3228 wrote to memory of 4348 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3228 wrote to memory of 4348 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3228 wrote to memory of 3732 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3228 wrote to memory of 3732 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4348 wrote to memory of 720 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 4348 wrote to memory of 720 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 720 wrote to memory of 3136 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 720 wrote to memory of 3136 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 720 wrote to memory of 3740 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 720 wrote to memory of 3740 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3136 wrote to memory of 952 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 3136 wrote to memory of 952 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 952 wrote to memory of 1912 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 952 wrote to memory of 1912 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 952 wrote to memory of 796 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 952 wrote to memory of 796 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1912 wrote to memory of 2232 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 1912 wrote to memory of 2232 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 2232 wrote to memory of 4436 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2232 wrote to memory of 4436 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2232 wrote to memory of 4596 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2232 wrote to memory of 4596 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4436 wrote to memory of 5056 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 4436 wrote to memory of 5056 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 5056 wrote to memory of 4608 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5056 wrote to memory of 4608 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5056 wrote to memory of 4444 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5056 wrote to memory of 4444 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4608 wrote to memory of 3504 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 4608 wrote to memory of 3504 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Resources\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre8\lib\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\lib\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre8\lib\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\48sAkNrSAB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\RuntimeBroker.exe

"C:\Recovery\WindowsRE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5df52fb-3bd3-4eb9-aabe-947f1aeafc7b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\213b4795-adef-4574-85d4-e63f95644206.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d944b65c-516e-444a-aa07-44664e8f62a3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33262717-c685-4977-958e-57dbee9517a7.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\040bc938-c31f-4199-b6f0-f70d235aa631.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\126b996a-2224-4270-9c15-631bef969a1f.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7de3ee7f-0f4b-4176-869d-240c966af155.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ec971c1-6ec3-4577-a03f-aa8ec31995aa.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af082c4d-682c-419d-993d-b683b10828a4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea5b8577-0683-4760-9c59-23158d576ad8.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d09534af-13c7-4de7-a5b2-ee4846e35e3a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f795dac-606d-49c8-a4f3-864b20082917.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1682fb79-f2b1-4ae9-8e82-0eabf573fdec.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd988f1c-ac37-42a7-b599-f643e78050e2.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d901daf0-d811-4b88-8d66-21b62690b5b1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eba36fd6-b8dd-48ac-aaf9-e5399890e103.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c0d673f-1a5d-40cb-9b2b-484c4a186acf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89583493-abaf-43df-a59c-62aadc42e2d0.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7be968a8-b845-4870-a53f-9a3b6d8c89b6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76363780-4244-4c2f-9ec6-c544a2595656.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\241bc3ee-8e86-4114-aced-1d747012f2e9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15cb67be-6bb2-4d7d-a37e-c5dd4cf1b251.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecca572a-31d5-40ab-a9ee-70e1976c1999.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6a075a3-80ba-4a3a-ab25-92bafb1aa935.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\381fd8a6-fb7c-4d85-a2f7-ea78d0d5f992.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31327b99-ec22-4e26-8375-d919ee1fdddb.vbs"

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b40b5a3-780c-4a3f-a7e7-4ab32a70888b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1f579d8-f0b0-444e-bf3f-a1669746d3c6.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 247.68.154.149.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp

Files

memory/720-0-0x00007FFB824E3000-0x00007FFB824E5000-memory.dmp

memory/720-1-0x0000000000C40000-0x0000000000F26000-memory.dmp

memory/720-2-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp

memory/720-3-0x000000001BA10000-0x000000001BA2C000-memory.dmp

memory/720-4-0x000000001C1D0000-0x000000001C220000-memory.dmp

memory/720-6-0x000000001B9F0000-0x000000001BA00000-memory.dmp

memory/720-5-0x00000000031C0000-0x00000000031C8000-memory.dmp

memory/720-7-0x000000001C180000-0x000000001C196000-memory.dmp

memory/720-9-0x000000001C1B0000-0x000000001C1B8000-memory.dmp

memory/720-8-0x000000001C1A0000-0x000000001C1A8000-memory.dmp

memory/720-10-0x000000001C1C0000-0x000000001C1D0000-memory.dmp

memory/720-11-0x000000001C220000-0x000000001C22A000-memory.dmp

memory/720-12-0x000000001C230000-0x000000001C286000-memory.dmp

memory/720-13-0x000000001C280000-0x000000001C28C000-memory.dmp

memory/720-14-0x000000001C290000-0x000000001C298000-memory.dmp

memory/720-15-0x000000001C2A0000-0x000000001C2AC000-memory.dmp

memory/720-16-0x000000001C2B0000-0x000000001C2C2000-memory.dmp

memory/720-17-0x000000001C810000-0x000000001CD38000-memory.dmp

memory/720-23-0x000000001C330000-0x000000001C33E000-memory.dmp

memory/720-22-0x000000001C320000-0x000000001C328000-memory.dmp

memory/720-24-0x000000001C340000-0x000000001C34C000-memory.dmp

memory/720-26-0x000000001C360000-0x000000001C36A000-memory.dmp

memory/720-27-0x000000001C370000-0x000000001C37C000-memory.dmp

memory/720-25-0x000000001C350000-0x000000001C358000-memory.dmp

memory/720-21-0x000000001C310000-0x000000001C31E000-memory.dmp

memory/720-20-0x000000001C300000-0x000000001C30A000-memory.dmp

memory/720-19-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

memory/720-18-0x000000001C2E0000-0x000000001C2E8000-memory.dmp

C:\Program Files\Java\jre8\lib\sihost.exe

MD5 a2076a85de5c50013fd48e423e2c2050
SHA1 4ef4d4fd4cf21287ccb37baa4fc8a4efa31b6bd6
SHA256 296ff7111b13564c6bffbc590f46a21188c873f95658d756c22425584453b9b6
SHA512 ff45a43830600f097569378af3d957346f2e66bfbf65f5a89ba592c5b90ef0759bf7a587914fb84c3406b6624c2301652ed30440cde9701d18bdf68b46cfa1a3

C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe

MD5 1c8a169288baa053351d8a8957652003
SHA1 d41e7ccff1801959e966b818349017ce87451da5
SHA256 2856e4596a7e650b4978cda6b0e482b7c00aff2b736f072eb1735c24af0b22f4
SHA512 d00ac382f01500d8b9a2a39725851530f07c0ab8989221f3ac9cf24dbdfb262d2725afbeca0bf1b24f950117cdd832714f1319028ec9007159645abaf4b3953d

memory/4772-169-0x0000022951360000-0x0000022951382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ux51evwv.nwh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/720-189-0x00007FFB824E0000-0x00007FFB82FA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48sAkNrSAB.bat

MD5 cfc5ca7ed8a24620d5fa42839110552d
SHA1 9365afda0abedf7f67622609df78e5b130443397
SHA256 8bc4d008d51079d6252c459f970d8e8dec82fd2b3ada050d3aba23409f9f6f08
SHA512 b2d154db858e8778863dd869cce71d18122fdd91a6dac81ea336804390a6d094b5e0fb7748861cfb66d10c888dca01cec6b0f606cc6ea7b936e88c20b907b2ee

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 89fd9805b81ee443cfc45649a131a483
SHA1 4857767c5e48d3ae858ba410aaeb3e4b78652295
SHA256 61620d980e6ebe7a0bbdec6e7254c369fbe6b9e28d8a6b820583273f5bf14f3e
SHA512 a76c7cadcff852525659bb6da1707da9073c77b7148c1671a219df064c546d81449486da0e6d57705cd98a000dbf317024eaa80e4cefcea9657ff93f13654380

memory/3972-293-0x0000000000F50000-0x0000000001236000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c5df52fb-3bd3-4eb9-aabe-947f1aeafc7b.vbs

MD5 3ecd4700ff00b0108400ad2f93fa19e4
SHA1 0bd9404aba566a22bdf739ae5c4628e48e282460
SHA256 068e62588172230b386dee27c6bfddb175ec98f5e2506462d13eb0cb87629410
SHA512 0bd8bba6fa8b2afeee579366a2a76caab23db77799fcbe77c4673fc878a88831faf2a7a86a92f82ab15edfc4ad723f1b5c69126835b32a2c782af73be4ed5baa

C:\Users\Admin\AppData\Local\Temp\213b4795-adef-4574-85d4-e63f95644206.vbs

MD5 0cc7ef608f19ac86cf5f64751304baa6
SHA1 4707b5d4666a2182698978f9291e99679b4cce48
SHA256 8e095a59dab14b3a5204feb3ddd8ea49b7d2700023b15579e0f8f47c3c864a66
SHA512 c3a9f8cbab04c5a2bc1e062c50a28367f1ddc22ebaa8be5cc8a785ab4effa8d43fcf437b150208b9683a69b9e9d9681ae26d7894104fda6f17c08f4eb1873dce

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/3228-306-0x000000001CDF0000-0x000000001CE02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d944b65c-516e-444a-aa07-44664e8f62a3.vbs

MD5 97b7a99260d4893cb5f3069998d15059
SHA1 ce917bf6a93277fab5cf8c24c0ae734a4c8b28b7
SHA256 48b0c9ada8c8671e13e8cea54c8fd9e1a269e4992b447053c501e1df1137f25a
SHA512 99d29deb8f30aee116126de6081512c6ffc7d2eacfb5b98cb4dec9dc5f386f7e96b0895da7eec5f258d43a22c9af8d50a4912e4b6a015b5b891be69eabc0a90e

memory/720-318-0x000000001D5B0000-0x000000001D606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\040bc938-c31f-4199-b6f0-f70d235aa631.vbs

MD5 468b230bf966ba8c651c40e1e203f1e1
SHA1 abda1b16b7ab9c7979304862859cd99e357e9fa7
SHA256 7f69b220f86d30281adde9f5e0e2d130230ec6235842ce3f01e34854f7f4533f
SHA512 5ee5e3b47f793fee2d8e6403848cc6e8ee4d7a1376595d61a1d39be32cb222cf0419615699a254ac4d52a803225b21eac669056a55e540462ec60b02391a0de0

C:\Users\Admin\AppData\Local\Temp\7de3ee7f-0f4b-4176-869d-240c966af155.vbs

MD5 74d6827a3a3f6fd62f488a038217cae5
SHA1 f6dbf7dcea8bd8652dc24d6828f0b7160942af38
SHA256 9ec1dd316ed5177f03ef30629008abfe32a02f7d5baa3bc2b2bac651d4ca5ab3
SHA512 9b02e5cb36582296e7b5ebcbdfd9194d576cf10f6cfb0784686a17ffd720453193b4e980fc0ed78b9a6e78412b8ccf33067f7eed3727a336fb1e9bea27bfca9e

C:\Users\Admin\AppData\Local\Temp\af082c4d-682c-419d-993d-b683b10828a4.vbs

MD5 c250da9266553d4e7c6d835037853b3a
SHA1 a7dd7f18a74e2b917a962a5c61878e3e95ef9a87
SHA256 377eb2430cc1e6d9f20cba9563fe4ae42a8a87a5f324c6db53837b77d643d653
SHA512 d8f68e433a8ae2d0f546637079c366826f20af4395a4a0c35931b607d22af3192914676bbd0b48ed9e4d58c652960ac616ddfac861823cb14146030430d7e4de

C:\Users\Admin\AppData\Local\Temp\d09534af-13c7-4de7-a5b2-ee4846e35e3a.vbs

MD5 30fc01150f183af0858e33b2035e3cee
SHA1 e3e5cb75136c3d4fc28386d85597993d21056822
SHA256 dbb379553215f4e6c7b9e600b47bf83fe8e33bd937b102f938ff3981a0e9681f
SHA512 951bc48324d7e62182f963bea7a25b700aba8e3ff0c872eba65e6767c182ff05677eb0c10434efd168786673ae08a077005a6123026ae364812dd13f5fcd658b

C:\Users\Admin\AppData\Local\Temp\1682fb79-f2b1-4ae9-8e82-0eabf573fdec.vbs

MD5 284ce2f0ade0ab7280bbc10c3c7d4f11
SHA1 be744ba155833ef1ea82c8d44671bf895f1efe34
SHA256 2bb5e9f812be958a773a53d31ff61403875222323b697e863a202fac188773ad
SHA512 e029b0701c32b3fe397661ae5b799416f871a08b4343ac00095be1fd7cc46b3443a9d04850cb3c5befcdf1ef462f6e84093d196c1932ca07f473335090f94c93

C:\Users\Admin\AppData\Local\Temp\b935b1f74bad2fdb1615016a349626c7457f2cac.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\d901daf0-d811-4b88-8d66-21b62690b5b1.vbs

MD5 c02c14da25231299b7d4cb32fdd321f3
SHA1 a8972bf4bfd8e816336418d7b112c61f8dee55fd
SHA256 0481a25082313c0251645d10befec7e5df0bba8545f724577e0284293f9a860f
SHA512 e7f59bcfc392fdcf14512a3cccf7550f0ff189f14f31003c646ff53761c510a49545b39c357103a8a24d488556cd9458784de58c8d5bfb05a873bc8d008d9bc5

C:\Users\Admin\AppData\Local\Temp\3c0d673f-1a5d-40cb-9b2b-484c4a186acf.vbs

MD5 d47d343a763472cb1bf25f56914a8523
SHA1 42d277db2b419fd8d02f9d6bc52ec15d36709a80
SHA256 d86b579fa24762585802c70d2250adc50cd42eb44c198e47d93bc2e494296b77
SHA512 cf02d751ffc5fb956d1d57ad5244cbe8d66269fa4ec612ec62f02b1f4bd60f97a8a1b81a63a2e4679957dfc3a09626ce1ab5e1f551a106581379cad6e5af6fb1

C:\Users\Admin\AppData\Local\Temp\7be968a8-b845-4870-a53f-9a3b6d8c89b6.vbs

MD5 e291bad5ce93bfc227a0c59c82410f70
SHA1 2843a0c4d060d886cf62405256323b490534a133
SHA256 2d0daec5eb092ab0e1d65b9df055997491ac2b56dad6aac440865b8a74c0aad5
SHA512 f891e5fa40f25bbb3e329c36dd5056349db2a12c67b86e6469aee38616b1c528e8b0e2a55726abe1023bdbd65c239c47341f3bfd3c411aa02cf626df477866f0

C:\Users\Admin\AppData\Local\Temp\241bc3ee-8e86-4114-aced-1d747012f2e9.vbs

MD5 2bcb774bda44a03e7e02af20a4968716
SHA1 47f66477e5761078c75091875ca8051773c4b4d5
SHA256 54fa4c022c0b7d3ec54b6ee9725f7c60b2365d79d236997c11afa6225ab29d3e
SHA512 9bf50817c331ded34884a01d44646d51b1d1761806566ff78ebc7eead79e6b638c71cc4ae5658bfb62a876ff0ce4942bbddf462d491972fac701dd05ad36fdb7

C:\Users\Admin\AppData\Local\Temp\ecca572a-31d5-40ab-a9ee-70e1976c1999.vbs

MD5 2f85828c82d356a719967fc7db833478
SHA1 009c915f9f476e714863d1bf4a265b9c98d1a0ff
SHA256 d944eb44582e21db46aa8be09c0468a3ba7aa798a672f3e08ef7a645034277bd
SHA512 de9abf9f0e92ae6a01ca56ad2edd567441d5240d7f33bf757bb04226665efea8eb875075e8cb0bf448e03e5715e285c94d7bdc01105862c2860c002ab8c8cb47

C:\Users\Admin\AppData\Local\Temp\381fd8a6-fb7c-4d85-a2f7-ea78d0d5f992.vbs

MD5 0b91a53925ffffa42dc9bbc2a47eccc7
SHA1 efcf36bcb0686f361f36190c0b2b535d82ac0ce8
SHA256 b0c437783c1d35a75971ae3fa21986c08fb99a1d1c0fdde8bf0118e12eb2ef88
SHA512 52410c644ad204d7504b54607ea24e85596d40d71f5af266d5ff76ae7f151bbb7d8f8b742eba440400e3b5d5d7274e4345130cf7a9a9fd6e6daca36087ef2ebe