Malware Analysis Report

2024-11-15 05:49

Sample ID 240515-jnl1nsfg9x
Target a76c3992f0ce41945386691b991de4f0_NeikiAnalytics
SHA256 92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023

Threat Level: Known bad

The file a76c3992f0ce41945386691b991de4f0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DCRat payload

DcRat

Process spawned unexpected child process

Dcrat family

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

System policy modification

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 07:48

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 07:48

Reported

2024-05-15 07:51

Platform

win7-20240221-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\1ccdc59d64bdbd C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\images\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\RCXC5BA.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\lsm.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\101b941d020240 C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Journal\smss.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Journal\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\RCXB85C.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\lsm.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Journal\smss.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\images\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\RCXC194.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Journal\RCXC7DD.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\diagnostics\lsm.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\ModemLogs\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\RCXB1B5.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ModemLogs\RCXB649.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\servicing\Editions\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\servicing\Editions\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ModemLogs\csrss.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\servicing\Editions\RCXBA6F.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\servicing\Editions\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\ModemLogs\csrss.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
N/A N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
PID 2768 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
PID 2768 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
PID 324 wrote to memory of 2304 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 324 wrote to memory of 2304 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 324 wrote to memory of 2304 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 324 wrote to memory of 1996 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 324 wrote to memory of 1996 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 324 wrote to memory of 1996 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 2304 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
PID 2304 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
PID 2304 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
PID 2544 wrote to memory of 2116 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 2116 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 2116 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 1940 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 1940 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 1940 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 2116 wrote to memory of 1484 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
PID 2116 wrote to memory of 1484 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
PID 2116 wrote to memory of 1484 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe
PID 1484 wrote to memory of 1728 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 1484 wrote to memory of 1728 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 1484 wrote to memory of 1728 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 1484 wrote to memory of 2808 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 1484 wrote to memory of 2808 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 1484 wrote to memory of 2808 N/A C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 2472 N/A C:\Windows\System32\WScript.exe C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a76c3992f0ce41945386691b991de4f0_NeikiAnalyticsa" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a76c3992f0ce41945386691b991de4f0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a76c3992f0ce41945386691b991de4f0_NeikiAnalyticsa" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\servicing\Editions\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\servicing\Editions\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\servicing\Editions\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

"C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a3913c6-c403-4575-82cc-9efa443f58da.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b770a552-b404-4c4c-b8bf-a07b02aa329d.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\189315fe-d30f-4820-95bf-136e5099806e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51f4de88-b488-468d-b114-9eb78d5769fc.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81a20895-7992-478c-a1f6-70e9c4005aa3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0b48b46-92fc-4dc7-9a5f-fd0f115bd29a.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\254fd276-a90b-42e9-bc22-f3c0c470bddf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13381cec-12f5-4cf1-9d9e-623bc5f2328e.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87983f1d-2c5a-4e9e-ad7a-6268d1febc9b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44be4781-1631-444c-9f6d-682110435f04.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ce27bbf-81d8-413e-b18f-d55c53d4e8e1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91bc37cd-f09e-406c-8374-a636f716fd9b.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\babcc170-13ac-40bf-be35-ae34702a755e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fa70d88-92aa-4426-9419-82f3caa590b1.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11708d4c-d3f6-420b-bf7a-5970c65c2b2e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f963144-2cf4-49db-b764-63b890cb9c72.vbs"

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\260a53a8-3477-40db-8dc1-f3b67bf62dc7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a36caac-c0db-4cbd-92c7-21280f0e644a.vbs"

Network

Country Destination Domain Proto
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/2768-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

memory/2768-1-0x0000000000AE0000-0x0000000000DC6000-memory.dmp

memory/2768-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2768-3-0x00000000004E0000-0x00000000004FC000-memory.dmp

memory/2768-4-0x0000000000500000-0x0000000000508000-memory.dmp

memory/2768-5-0x00000000009B0000-0x00000000009C0000-memory.dmp

memory/2768-6-0x00000000009C0000-0x00000000009D6000-memory.dmp

memory/2768-7-0x00000000009E0000-0x00000000009E8000-memory.dmp

memory/2768-8-0x00000000009F0000-0x00000000009F8000-memory.dmp

memory/2768-9-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/2768-10-0x0000000000A00000-0x0000000000A0A000-memory.dmp

memory/2768-11-0x0000000002290000-0x00000000022E6000-memory.dmp

memory/2768-12-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

memory/2768-13-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

memory/2768-14-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

memory/2768-15-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

memory/2768-16-0x00000000021F0000-0x00000000021F8000-memory.dmp

memory/2768-17-0x0000000002200000-0x0000000002208000-memory.dmp

memory/2768-18-0x00000000022E0000-0x00000000022EA000-memory.dmp

memory/2768-19-0x000000001A960000-0x000000001A96E000-memory.dmp

memory/2768-21-0x000000001A980000-0x000000001A98E000-memory.dmp

memory/2768-20-0x000000001A970000-0x000000001A978000-memory.dmp

memory/2768-22-0x000000001A990000-0x000000001A99C000-memory.dmp

memory/2768-23-0x000000001A9A0000-0x000000001A9A8000-memory.dmp

memory/2768-24-0x000000001A9B0000-0x000000001A9BA000-memory.dmp

memory/2768-25-0x000000001AE00000-0x000000001AE0C000-memory.dmp

C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe

MD5 a76c3992f0ce41945386691b991de4f0
SHA1 694416f5f2cc6579af87f08175b52f9039930972
SHA256 92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023
SHA512 6f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a87e3199a6d48f2f0557bc3312c9a825
SHA1 9905728721099bac2f8981a4fff1518f565732ea
SHA256 fabf0295174f9d5592c0db1cddf112afde2b7be16855f529f6bf922ebcd9851a
SHA512 38c11653369045065f4d760c9c86f2ec94f0f2cb8f89aaee3840efbb5d266dc8056f7e3a0c21f10fc8166a188a023ef03a633e2f356d29fa93145038ff6f8a58

memory/2808-164-0x0000000002690000-0x0000000002698000-memory.dmp

memory/2692-154-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe

MD5 50200bb05eb5ce4121495f32a8ff5e3e
SHA1 b507c386d869bd4b561ccf2dc56cd1bd28473ee0
SHA256 e223f04b0ebfe8bbb1690d3406b9c013a81d0fd4a7860060f617ceff06a27363
SHA512 6656be3d220e143974c4c2efb9768724d337ddfe711e200ead2b0873ec9d6f9028902a0afbac5b53b814822fac296490438a193ca7ce04c51897b9186ef20eb6

memory/324-189-0x00000000002B0000-0x0000000000596000-memory.dmp

memory/2768-190-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/324-191-0x0000000000A10000-0x0000000000A22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1a3913c6-c403-4575-82cc-9efa443f58da.vbs

MD5 b68beb1b051f04bb69f361e278c39639
SHA1 3d10aeaecdc442ea4da4d8d8a89ca64e20b1b945
SHA256 04e6ba9342338b03fa73e1bafedff858a57fb5a32a87437c494fbe9e1d5dc0e7
SHA512 8f1b0803e2ccece947827eae237ac4e1c6d99d1f8cf39be383cdffdeef3eaa7632e20c970df91972f32d9ca25f94f20449eb88602042a8a8afd9226f0f09fadf

C:\Users\Admin\AppData\Local\Temp\b770a552-b404-4c4c-b8bf-a07b02aa329d.vbs

MD5 bc8d4619fd969519a924a3cd5ea48cbd
SHA1 7766371d8981c1f50a9b4582dff2ac253638cf8e
SHA256 49edc2f9eac211985ee409b8a07d9d8a6fa755c026842924b5fb3d0b589fd82c
SHA512 3ca9366d00ec76bfbd25571013328f02d9e93d4958a1a6630ffbf419fa7225f206fc6228ec3b5f364785b90b7553b302128f2111e8b1513f0bc831b16242b1b9

memory/2544-202-0x0000000000CE0000-0x0000000000FC6000-memory.dmp

memory/2544-203-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\189315fe-d30f-4820-95bf-136e5099806e.vbs

MD5 357137808f0d53414931e7711701f07f
SHA1 ffa2547d28b2acd863f6188ee7526f87cdfc2d58
SHA256 cc70b61ab7f01293d8190cf81f9b1d2bafded9d0507f187c3c8df9b14c6dcc85
SHA512 df6b74865f1c8d1ffec55f2a2ca9850e127ee40be7bff02cdfff4c34ff03f2e69778bccc4dd83f11db3bfbf9f39ae973bec30d5b1b3db934ea0b85c22b4ba435

memory/1484-215-0x0000000000550000-0x0000000000562000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81a20895-7992-478c-a1f6-70e9c4005aa3.vbs

MD5 46a3d6a02b808a3f449c0a5e7c72ac0c
SHA1 6b8872cd8b4124eb78ed3208c17590d4e1603a7d
SHA256 56df465e4916dae7b26bf1405eba3108f655340059ff7948a3cc695388e94a29
SHA512 7a7316702c70f244eb7488c773cc7df64e7b9ced7de59a03ee40ef542906fcdf69ffa33fef8fd63a4c946d0235a6b5d5dca616e092fd5e11149604cf425a05d7

memory/2472-227-0x0000000000C40000-0x0000000000C52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\254fd276-a90b-42e9-bc22-f3c0c470bddf.vbs

MD5 453921fc64fd4b713d345cb17079da34
SHA1 cacff0b65ed085d1a7bacd9027ffdc6447f6c852
SHA256 ab76d934c18e05a34637f34ab8002356071c52dc4a0a0aaeb90ff2531a5e6b81
SHA512 91b483734d4e7b75d16fcbaeee101cc0de3c3a2a2c5583b8dd33c4a967bd746d6871712378857a6f8ab566cf164d3f5acb27ec5fb7c707f2d664677bc29dfa28

C:\Users\Admin\AppData\Local\Temp\87983f1d-2c5a-4e9e-ad7a-6268d1febc9b.vbs

MD5 a0ae6bbae85e716c275bca0d04a843c1
SHA1 175d5dcf859e86b7005a3d2017731d4755abbb94
SHA256 0a3186859570147ae1e6878cc9a2c765f7469abbd4c80db7f42bbcdbc0a3a966
SHA512 c3886b74bd558c23b9af989382c4b391090365ff086100a29f23a7e2572ef21068ae56837173f34ae8337c257e582f5652cb720b3cd706c1adb45cd2b375c44e

memory/1780-250-0x0000000001340000-0x0000000001626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6ce27bbf-81d8-413e-b18f-d55c53d4e8e1.vbs

MD5 3dd8d5a612f09af9651e49f4dc63753e
SHA1 9361fbb7ac22ef5e8bd2f748b680f274b76cb4cf
SHA256 edff42637b5453d066994447e081352b1b7a0bb9e37d04388c65b4f8d4946e99
SHA512 68c46460ea18b1b711678a268e578ab9eeb20b1f5dbc23bdc6b7d9dbf7ee117909f36b0203481ef1f04a2ef772f5b90cc274f0dd6a5dcd477db967519bd4a3ff

C:\Users\Admin\AppData\Local\Temp\babcc170-13ac-40bf-be35-ae34702a755e.vbs

MD5 8d20768946f4bbd6150f66938eeb4e49
SHA1 0effafddd7e357ad11725e26d9d616c8ee71d9a6
SHA256 81c91ece78f828dcceb2bd1f3c23065ea6118ec3f5fe11e0e881759eca88d065
SHA512 21a02412751ed811a8e486017f124db975bf0116ccada80e370270b357b3a5e302f3a78d305e89098415ccf09bac6393f1793f8d6ca1ba101bb6cd4479c3f593

memory/2168-273-0x00000000002C0000-0x00000000005A6000-memory.dmp

memory/2168-274-0x0000000000990000-0x00000000009A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11708d4c-d3f6-420b-bf7a-5970c65c2b2e.vbs

MD5 ca8d1a3fc86cb97b774754dc338a9301
SHA1 cd30f835411f3582554da8f823fb0fb3d6b947b6
SHA256 b21280afff8e6bf0b0b4d7231127eed883f2af4ef0a33967e3c7fbceacb03f30
SHA512 e548475e60f30088f237297186e5109a2f3d8f0b4b1c7577da29a609d06cc784eadf6947ac47d046fe2642ce7c90b95e8558ec412f982d53bb71d32fb76559f9

memory/320-286-0x0000000000EC0000-0x00000000011A6000-memory.dmp

memory/320-287-0x0000000000E20000-0x0000000000E32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\260a53a8-3477-40db-8dc1-f3b67bf62dc7.vbs

MD5 b550bec859709157db8847c6a8a8b4e8
SHA1 97e3614e614b7fa584702e7611d28fdb6526b717
SHA256 cdad0a1032bf5e0409d029cda6c769848c039c5786cc79f8827afdbc65f82388
SHA512 309699affb8197d7b97750fa770b2f020a7552dfae2db2208b05f4418b9b998265e285ce7c3d172aa754829c6e805a2f929c3d41113e1d92d6f90f2f8b749863

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 07:48

Reported

2024-05-15 07:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Default User\SearchApp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\fr-FR\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\fr-FR\RCX5896.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCX69E4.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX5681.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\RCX652E.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\tracing\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\es-ES\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\tracing\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\RCX4FE7.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\es-ES\RCX5EA4.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\es-ES\csrss.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\tracing\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\es-ES\csrss.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File created C:\Windows\Globalization\ELS\SpellDictionaries\wininit.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\tracing\RCX4DE2.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\RCX51EC.tmp C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Default User\SearchApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A
N/A N/A C:\Users\Default User\SearchApp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 1192 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2924 wrote to memory of 692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2924 wrote to memory of 692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2924 wrote to memory of 644 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\SearchApp.exe
PID 2924 wrote to memory of 644 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\SearchApp.exe
PID 644 wrote to memory of 4856 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 644 wrote to memory of 4856 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 644 wrote to memory of 5040 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 644 wrote to memory of 5040 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4856 wrote to memory of 4924 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 4856 wrote to memory of 4924 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 4924 wrote to memory of 4372 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4924 wrote to memory of 4372 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4924 wrote to memory of 2644 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4924 wrote to memory of 2644 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4372 wrote to memory of 4608 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 4372 wrote to memory of 4608 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 4608 wrote to memory of 3364 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4608 wrote to memory of 3364 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4608 wrote to memory of 1516 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4608 wrote to memory of 1516 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 3364 wrote to memory of 876 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 3364 wrote to memory of 876 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 876 wrote to memory of 4468 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 876 wrote to memory of 4468 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 876 wrote to memory of 4448 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 876 wrote to memory of 4448 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4468 wrote to memory of 2524 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 4468 wrote to memory of 2524 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 2524 wrote to memory of 3328 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 3328 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 404 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 404 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 3328 wrote to memory of 4336 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 3328 wrote to memory of 4336 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 4336 wrote to memory of 2160 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4336 wrote to memory of 2160 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4336 wrote to memory of 464 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4336 wrote to memory of 464 N/A C:\Users\Default User\SearchApp.exe C:\Windows\System32\WScript.exe
PID 2160 wrote to memory of 3572 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe
PID 2160 wrote to memory of 3572 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\SearchApp.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bTZqdeVjxS.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3377673-5238-46aa-8bb8-d337e3a1bef2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a985be6-bb15-4b70-9027-e9a6b09f1f34.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcb50ee3-b6f0-43f8-9888-feec33f690fb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90ddbed6-cf46-4a00-a1eb-8748b22212a6.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d2159b-bb97-4abc-af96-3ed50b8cb3a8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1141c1a3-4ab9-45b6-9401-0c7808347786.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c287d85-ea58-4341-8bfc-8b0874a4ed11.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\378d01be-84b0-4205-9c10-cbd8aa48f517.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90df0a3-2cfe-403d-afe5-947beea7e1c2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03fed305-4fb7-4f39-8578-8a16ea1aa5e3.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d92a96b-da55-481a-9c25-8e69c0c4aa13.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\208485dc-94bc-4d0e-82ba-6f73131f7da7.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f6c84fe-45a2-4391-b30d-471e97ccee82.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0c6a276-ec10-4e2e-99cf-8f1bc3edb5c3.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6583eeca-7b46-4c2e-a3fa-dca195e9217d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b25e896-ad08-4a49-bf38-15ccf5350c54.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b6f1efd-1373-4290-bef9-69906f9689fd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1abcac1-f3de-4583-ba26-b9d13da5a272.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ced3bcd-7119-40ff-bc04-2ebab54349ee.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cfd9777-dd1e-4dad-80b7-6a7b50b44985.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92305b84-615e-4c51-a82c-17f274c8b008.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5670110e-3ece-43e1-93f5-0e2665f1088c.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5af9c4f-13a5-4736-92cb-6efda4eaad09.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77f7ad0a-f3d8-41c3-ae2e-6e87b43ad04e.vbs"

C:\Users\Default User\SearchApp.exe

"C:\Users\Default User\SearchApp.exe"

Network

Country Destination Domain Proto
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 247.68.154.149.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp
RU 149.154.68.247:80 149.154.68.247 tcp

Files

memory/1192-0-0x00007FFBFB903000-0x00007FFBFB905000-memory.dmp

memory/1192-1-0x0000000000C50000-0x0000000000F36000-memory.dmp

memory/1192-2-0x00007FFBFB900000-0x00007FFBFC3C1000-memory.dmp

memory/1192-3-0x000000001C160000-0x000000001C17C000-memory.dmp

memory/1192-4-0x000000001C1D0000-0x000000001C220000-memory.dmp

memory/1192-6-0x000000001C180000-0x000000001C190000-memory.dmp

memory/1192-5-0x00000000030C0000-0x00000000030C8000-memory.dmp

memory/1192-8-0x000000001C1B0000-0x000000001C1B8000-memory.dmp

memory/1192-9-0x000000001C1C0000-0x000000001C1C8000-memory.dmp

memory/1192-10-0x000000001C220000-0x000000001C230000-memory.dmp

memory/1192-7-0x000000001C190000-0x000000001C1A6000-memory.dmp

memory/1192-11-0x000000001C230000-0x000000001C23A000-memory.dmp

memory/1192-12-0x000000001C240000-0x000000001C296000-memory.dmp

memory/1192-13-0x000000001C290000-0x000000001C29C000-memory.dmp

memory/1192-14-0x000000001C2A0000-0x000000001C2A8000-memory.dmp

memory/1192-15-0x000000001C3B0000-0x000000001C3BC000-memory.dmp

memory/1192-16-0x000000001C2B0000-0x000000001C2C2000-memory.dmp

memory/1192-17-0x000000001C8F0000-0x000000001CE18000-memory.dmp

memory/1192-18-0x000000001C2E0000-0x000000001C2E8000-memory.dmp

memory/1192-23-0x000000001C330000-0x000000001C33E000-memory.dmp

memory/1192-22-0x000000001C320000-0x000000001C328000-memory.dmp

memory/1192-25-0x000000001C350000-0x000000001C358000-memory.dmp

memory/1192-26-0x000000001C360000-0x000000001C36A000-memory.dmp

memory/1192-24-0x000000001C340000-0x000000001C34C000-memory.dmp

memory/1192-21-0x000000001C310000-0x000000001C31E000-memory.dmp

memory/1192-20-0x000000001C300000-0x000000001C30A000-memory.dmp

memory/1192-27-0x000000001C370000-0x000000001C37C000-memory.dmp

memory/1192-19-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe

MD5 a76c3992f0ce41945386691b991de4f0
SHA1 694416f5f2cc6579af87f08175b52f9039930972
SHA256 92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023
SHA512 6f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870

C:\Users\Admin\sihost.exe

MD5 31041dd60a6c75eb61e4659f3b3807f9
SHA1 dfd330395b119125f606bea62c627b4dfb1e7ee1
SHA256 f137c910af59a38f421b56f4d30f2273ac5f70de2fb16ddae04f716dc462bcb9
SHA512 9030c782118650a9ce9b6efd0853fb5ef76b4ff6484616421e75031c55ee2ed52ea71e39693878224a01d279cbcf48e1dde4ea8cb7f9a534c036a0f477548006

C:\Users\Public\Videos\RuntimeBroker.exe

MD5 50ccccd7fbbdad41f811b17823c8c9df
SHA1 14a985bf894aae6162b6ba47b2d8a3a72284a09a
SHA256 c88a6e96d6f23b84050e855dbe400e766e9a250689d2a5694d6ef9936e2ed2b6
SHA512 65cd027b8344f4563ddd2609c2bb23e3096d7121e49b014fe3043ed95414ce053659524e50c8a4c9eb11b0e06aa25f4820fbf3ed0c72dde76f5841ae4c05a109

C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe

MD5 2076220deaaeda79cbcd385dda4a1135
SHA1 d596dcfdf47f7c31c495477032f8c58520e15048
SHA256 26632d2e192536fb43ac2c610dd1efa91b41179d040276004c4fd37cc5245b54
SHA512 93263d7c2891402c3cf1b2007403b081f2a74a892c14bc757da166e347b6a42d247240460247523b6f9fe876c34962f3e0c010a7ba21c95b14403c621effc941

C:\Program Files\Windows Sidebar\Gadgets\RCX69E4.tmp

MD5 3f589e3b8016af54850b0adff9e6d021
SHA1 9da46554b8904adf9f5b975311464cc871223afd
SHA256 860ef4434663f7377e1e71372b99cbf21438865a4a48c736619a21daa106b92a
SHA512 1e3faeaac8289bff7a26c7baceb73072ab3f1545bee7d007407c1679e33ea675c2220848f9eb78aab47a0e528c67fa994e0d5116646b1ed687c42ae87fe6810a

memory/1192-177-0x00007FFBFB900000-0x00007FFBFC3C1000-memory.dmp

memory/1104-187-0x00000178A4EB0000-0x00000178A4ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01qsignx.dhs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\bTZqdeVjxS.bat

MD5 8f1c52e7f6b4601d0dfb001cbde5c9b5
SHA1 e17bdd2c425bb0a748f44ad38f8f8a333165ab13
SHA256 c21604e4995a81d56d169fdca375f922023ee39822ca013ef9d92807698b381c
SHA512 734d75fce9f8d530580468a2cf716c345ee2373ad0fbbc547b9a8fdc0947ffc67e821fcd9e1c7fb9225ceaf3c86638143187e1a922d00e6091512aaba2d8437d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Temp\f3377673-5238-46aa-8bb8-d337e3a1bef2.vbs

MD5 685ff2f58c23bb1bff6e280b2c1ba8f8
SHA1 14c3b125f9610fa8a445d746ca7bf592053433a4
SHA256 cabcc11c67c17ee64b263d6f258dbf763d7702981f38ec4375b97f88248e4efd
SHA512 7a573a6e5cba72a40869451ec2172c40ada89f831c3504e74310a7606c93f41003115a155bebd78500151aac8debefef16ba89727ba785cd2f57dd6b58857073

C:\Users\Admin\AppData\Local\Temp\8a985be6-bb15-4b70-9027-e9a6b09f1f34.vbs

MD5 c52b233e583489e5f7433572f077f5b4
SHA1 f68785bbba4de7b51af0b12a09756b9d0b6d6578
SHA256 37b28683903d250d38d3618bb1c35be0610deabafd92890cef6ac9b436fa17ce
SHA512 e084ee7c658be8e3d1ac33d82d1a8b483e256d7ceb1997eb662fb60730f920dcc118ddb8ae5e36c6f5a0118b5ad3ecfd9e8603416206f5dacf666fd95c3d3767

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\dcb50ee3-b6f0-43f8-9888-feec33f690fb.vbs

MD5 1e7168949d87de32fd265a56f31514fa
SHA1 dd8a0c66b23c6077e02478aaf3ff4660ecf643a2
SHA256 16f213a83fb556f6714ba9e43730922f0a45395d1cbd1d10b8b270698ab1468f
SHA512 f710a71191e598833d029404a134b94b32d3a0028124694c21e7fbd998b1c83bd4fb3b777493dcd3315b39b6a2bea5fcb3ee61ec509879f3397a5a545b5591ba

C:\Users\Admin\AppData\Local\Temp\58d2159b-bb97-4abc-af96-3ed50b8cb3a8.vbs

MD5 faeb6c65b9f1ab74ac23b1b0a416d45d
SHA1 8cb57d1c57f4673f309a6816aa26e550ea4f4a86
SHA256 5827f1027bdf2786105d5e9cf19d790df08fa2d4e2341d795151e64c00e29db8
SHA512 8bced1dc25e16c82c990654174dcd2f1758a328470e8d7ab1ad23763afe861de0a8ff896442bd300e9bc4087bf59acee79a3be183702d28d4263b8040140c4bf

C:\Users\Admin\AppData\Local\Temp\1c287d85-ea58-4341-8bfc-8b0874a4ed11.vbs

MD5 ba405b5f0696c5e082d262ae388c6554
SHA1 646af058b14ec53688edbbc6066aea18a52be298
SHA256 216f7b1616d258b15ec3f9fb676a961a91fa998543affb8c8d32e5636ae86e8c
SHA512 b2807e7571d5b68a0c59ad5194ada5c75eb2a1e5aba97f6e5a467baecda2ebd46de37894ddb11ce857ff4187db4692ffb9a99a411231751eb1e2b48a56f41e32

C:\Users\Admin\AppData\Local\Temp\f90df0a3-2cfe-403d-afe5-947beea7e1c2.vbs

MD5 18c91d97244066aeb1541d7e7824497b
SHA1 9929aac56a2f638770f2b454ae13585944745d02
SHA256 0db8026a03abc63c3e775bb202c081d91ca2b69f8bf308a8452dec9079bba303
SHA512 e66e69a653e33f0ac02b9e4482282a8363ed1af54d4fe97a727bb2a39450a7a6f45953325e1a5e292c4365ab8ad157170db29a0d1560e771506017eb1185ae42

memory/4336-361-0x000000001B810000-0x000000001B822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2d92a96b-da55-481a-9c25-8e69c0c4aa13.vbs

MD5 df0e49d3733578449a63371740df62a3
SHA1 2bd290be5e1317c0b8c7ed9da595cb264030c445
SHA256 f545820e4becea6b7ea2aba88aebb3168d9dfaced4a7134d5735e84ee1bb2ae1
SHA512 3fc7da1127dabb161a938be1df519c9a693d131efc5fad08527c75df4da5a2701342a3c2ba1b9ed59c9fe7c24592ace17fccf18057a82ad9b200667da109cdc0

C:\Users\Admin\AppData\Local\Temp\7f6c84fe-45a2-4391-b30d-471e97ccee82.vbs

MD5 e1426dd2381cebbfbacd6cfc5db09dab
SHA1 0ca4e4b21f8c08f1961fc11ec783e239a7585b21
SHA256 bdbd845200eb71ea51d1493fe087ab1c0c73217d0192a54a996b3f05ab0d72ab
SHA512 20b814e48e913adaac66b0ea1673c84d4ccd5a14ebd38fd8a01e0d8d857ea5cb040cfaa8eb591093955109766b6d6552466a525d0ba5ce8a975ee37d5e4259a6

C:\Users\Admin\AppData\Local\Temp\6583eeca-7b46-4c2e-a3fa-dca195e9217d.vbs

MD5 1bccd0b10698534c4c1e83b3c591a8a0
SHA1 2afd8dda976f194b13b91d9fa2119dcc5d70e596
SHA256 fb99aa84d11d9288c6007113b9df3743b47bd99f1af444e07e0781748ca937c2
SHA512 143a03ec53aedf76c49298d276603f1ab710599e92750ea24fdb3269bbd3d2848ed91d6751a43a2f9fb2e07f30c6aa3f2e770025ef1d9f642c33bdc81338f19d

C:\Users\Admin\AppData\Local\Temp\5b6f1efd-1373-4290-bef9-69906f9689fd.vbs

MD5 274f12ee35485636d99fd332fe162790
SHA1 4ef1a98923d30b69037fed7b0b0925d23b82dae4
SHA256 6db09f41968962d903c06f8a5df967b5deb0dc199655c648145515bc95fd323e
SHA512 102647363bc02002bd786ccd8af0d098fbc50236d0c9894a882e36a12b4f8ba938b7ed5a6b68fa7ee8897fed4ef50433e3605ce32c73b4f93ac6dafa61e39c52

C:\Users\Admin\AppData\Local\Temp\1ced3bcd-7119-40ff-bc04-2ebab54349ee.vbs

MD5 0f03e10f43939cd33d379837eab39517
SHA1 27965f9997fe1790a395f98d001603632dc59ee4
SHA256 6587f7777a3f4a236424c1e652c724ff06a968f5727135873c854ecd8a32f623
SHA512 b0f03a8bd718a1263618b847cd8368837788465642c32f827d1da1e535a7140ac614ec342994f545aeb1d803fa6da863c8174770fe83d4587e1cf2eceabeaa6a

memory/956-416-0x000000001C7E0000-0x000000001C8E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d5af9c4f-13a5-4736-92cb-6efda4eaad09.vbs

MD5 e7e7cc0bf01f6b154916379ba3ecb980
SHA1 9fc44a0758fe17ce197aa25658f6dc36bfe8ed05
SHA256 ed5db7c1e7effd9894e7838869f2b1a069dd447d6b5bc8db8ac03f2774368b86
SHA512 2f25520639459e4a2444fc75da8d6805702e41e4fd4b27fc24e9e4561acc170d104406dafe769e84bddeab91c61b22f017fc46f3b595041ea9bb439d2016ddb6