Malware Analysis Report

2024-11-13 13:42

Sample ID 240515-nd9q7seg6x
Target cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics
SHA256 dbadac74214c5322f8d6f4766163e43212c9d1085dfa9a2139f59ff01c87867b
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbadac74214c5322f8d6f4766163e43212c9d1085dfa9a2139f59ff01c87867b

Threat Level: Known bad

The file cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

DcRat

DCRat payload

Dcrat family

Process spawned unexpected child process

Modifies WinLogon for persistence

DCRat payload

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 11:18

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 11:18

Reported

2024-05-15 11:20

Platform

win7-20240215-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files\\VideoLAN\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files\\VideoLAN\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\IME\en-US\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\VideoLAN\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Desktop\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Desktop\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\VideoLAN\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\IME\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\IME\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX26CB.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\RCX3654.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\services.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\dwm.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\RCX2244.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\RCX344E.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\dwm.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\RCX293D.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\RCX344F.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\04c0b05ac7e333 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\RCX28CF.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\RCX22B2.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\RCX3653.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX26BB.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\services.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Common Files\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\en-US\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\IME\en-US\RCX24B6.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\IME\en-US\RCX24B7.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\IME\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Windows\IME\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\IME\en-US\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\en-US\spoolsv.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\en-US\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\IME\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\it-IT\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cf7d433c32279d2756c1e3a67e86b100_NeikiAnalyticsc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cf7d433c32279d2756c1e3a67e86b100_NeikiAnalyticsc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\IME\en-US\spoolsv.exe

"C:\Windows\IME\en-US\spoolsv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dcrat.jorikbz3.beget.tech udp
US 8.8.8.8:53 jorikbz3.beget.tech udp

Files

memory/1724-0-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

memory/1724-1-0x0000000000C90000-0x0000000000E9C000-memory.dmp

memory/1724-2-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

memory/1724-3-0x0000000000240000-0x000000000025C000-memory.dmp

memory/1724-4-0x0000000000260000-0x0000000000268000-memory.dmp

memory/1724-5-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1724-6-0x0000000000530000-0x0000000000546000-memory.dmp

memory/1724-7-0x000000001ADD0000-0x000000001AE26000-memory.dmp

memory/1724-8-0x0000000000410000-0x000000000041C000-memory.dmp

memory/1724-9-0x0000000000550000-0x000000000055C000-memory.dmp

memory/1724-10-0x00000000005E0000-0x00000000005EC000-memory.dmp

memory/1724-11-0x00000000005F0000-0x00000000005FE000-memory.dmp

memory/1724-12-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

memory/1724-13-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

C:\Program Files\Internet Explorer\it-IT\services.exe

MD5 cf7d433c32279d2756c1e3a67e86b100
SHA1 3fa407d870f47bc0566c98519d29229bfad39353
SHA256 dbadac74214c5322f8d6f4766163e43212c9d1085dfa9a2139f59ff01c87867b
SHA512 365336fcb9b9f04f284071caeaadc5deb90be118ec837a957a9d9dcae7570d95430379c24bb8d2edf2ce783b2722bf3129da81c292a3b33692e3f28749e204b3

C:\Program Files (x86)\Common Files\spoolsv.exe

MD5 dee05215e09bc9b82c96109eb7b8b5be
SHA1 b3795a9715f4aadad598acdde007abdc111a7c5c
SHA256 27f902cfdac4de4d304c57f82af95ffffe5b3651ee880b933a7aba7bd1ba8d23
SHA512 9c3b876c1de08cd721b7085eb704524fa2e4901054b1a231ec3d16c68973752ad205e517bcec99a9659db2f9ded9ded5fe4b6f5bb6c5448d2dd572c1e7cfc7d0

C:\Program Files\Internet Explorer\it-IT\services.exe

MD5 163e97e19de5b4477e0bdbcd690839b3
SHA1 e487b532cb712fb86797c1304f5cfce81dc2b099
SHA256 029798dbaa509dbfbdd9f2b910f850896968f50bec2e7ffe8f52f34a630c52a5
SHA512 28edb87833ba1dc732006811e77d0bfa319436a9fd12dba103b739c402d44a9cbfcaae6665f740902f4bc8d496547c330547e64f1d2307c36186a2fdcdf98261

memory/1936-177-0x0000000000DD0000-0x0000000000FDC000-memory.dmp

memory/1724-178-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 11:18

Reported

2024-05-15 11:20

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files\\dotnet\\shared\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Admin\\Saved Games\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files\\dotnet\\shared\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files\\dotnet\\shared\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Saved Games\backgroundTaskHost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\dotnet\\shared\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\Saved Games\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\it-IT\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\dotnet\\shared\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\Saved Games\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\it-IT\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\smss.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCX5E38.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\RCX7461.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX6AF4.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\MSBuild\csrss.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\MSBuild\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\dotnet\shared\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\RCX62CF.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\RCX6DD5.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\shared\RCX7667.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Multimedia Platform\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX5C32.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCX5E37.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\shared\smss.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\sihost.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\RCX62D0.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\RCX7462.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\RCX5A0D.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\RCX5A0E.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX6A86.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\shared\RCX7668.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\csrss.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\sihost.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX5C33.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\RCX6D66.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\it-IT\RCX604C.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\it-IT\RCX60CA.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\it-IT\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Sun\Java\Deployment\RCX6552.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Windows\it-IT\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Windows\it-IT\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\sysmon.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Sun\Java\Deployment\RCX65C0.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\RCX724D.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\RCX724C.tmp C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Windows\Sun\Java\Deployment\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\sysmon.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File created C:\Windows\Sun\Java\Deployment\dllhost.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Sun\Java\Deployment\dllhost.exe C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\Saved Games\backgroundTaskHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Saved Games\backgroundTaskHost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\shared\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\shared\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Users\Admin\Saved Games\backgroundTaskHost.exe

"C:\Users\Admin\Saved Games\backgroundTaskHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 dcrat.jorikbz3.beget.tech udp
US 8.8.8.8:53 jorikbz3.beget.tech udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/852-0-0x00007FFE80DA3000-0x00007FFE80DA5000-memory.dmp

memory/852-1-0x0000000000510000-0x000000000071C000-memory.dmp

memory/852-2-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp

memory/852-3-0x0000000000EF0000-0x0000000000F0C000-memory.dmp

memory/852-6-0x0000000002820000-0x0000000002830000-memory.dmp

memory/852-5-0x0000000002810000-0x0000000002818000-memory.dmp

memory/852-8-0x000000001B410000-0x000000001B466000-memory.dmp

memory/852-7-0x000000001B260000-0x000000001B276000-memory.dmp

memory/852-4-0x000000001B2B0000-0x000000001B300000-memory.dmp

memory/852-9-0x0000000002830000-0x000000000283C000-memory.dmp

memory/852-10-0x000000001B280000-0x000000001B28C000-memory.dmp

memory/852-11-0x000000001B290000-0x000000001B29C000-memory.dmp

memory/852-12-0x000000001B2A0000-0x000000001B2AE000-memory.dmp

memory/852-13-0x000000001B460000-0x000000001B46E000-memory.dmp

memory/852-14-0x000000001B470000-0x000000001B47A000-memory.dmp

C:\Program Files\Windows Sidebar\Gadgets\sihost.exe

MD5 cf7d433c32279d2756c1e3a67e86b100
SHA1 3fa407d870f47bc0566c98519d29229bfad39353
SHA256 dbadac74214c5322f8d6f4766163e43212c9d1085dfa9a2139f59ff01c87867b
SHA512 365336fcb9b9f04f284071caeaadc5deb90be118ec837a957a9d9dcae7570d95430379c24bb8d2edf2ce783b2722bf3129da81c292a3b33692e3f28749e204b3

C:\Windows\it-IT\RuntimeBroker.exe

MD5 c896688b4cb498f016485397dcbb03c6
SHA1 1a9646d6eb3621ee4396e1fee67a13c67eb22af5
SHA256 1f0a0320e7639846c9a5fdaceabcf83c31112bccdacc76a9fec3049383e21e54
SHA512 98d65d164d7308717f0e6c44402f28bfea77dd6a6846b8d81c8819d2a76a8f6cdf124915160983979b89befac964568448e08f8f1d16731f7e088be4dfb0a40a

C:\Windows\Sun\Java\Deployment\dllhost.exe

MD5 2cb077192e8a252ce7c9025eeaa7eb92
SHA1 e25a9024eb3d9f91cd8a83253d0b0b4e32647aec
SHA256 88fe2395155283d157e1f5a4906e43202aeb891317ad7810586f23cd95b7668e
SHA512 9e25a36db1084607c40c8e5ce842d64d569e2e74d3f174202c5816bd2402bd3e743af265c1dce9a6a6de89639faa9bf858754ff2b752928e0d35f868d6e204f3

C:\Users\Admin\services.exe

MD5 cf4101628cb97a27707cb5ddd17946ca
SHA1 5892485bf3b94c4fc7b88fa5b81499aeba16e22f
SHA256 e4f55929c6741875d885d0076e8afa79a696ee3bd610ddece41dc0fb41fc9927
SHA512 1d910ed0573a3da54e94ddb6d9ad8e109df87f5689b5b88f958f12d5762cc68bc959af8fa171fe7a1965ec4533382afeebf05c41fbd5f563a04c75a86c401767

C:\Recovery\WindowsRE\SppExtComObj.exe

MD5 617c6c0c26261e0f481454fa5ad45055
SHA1 4662d3d4ac6a87dc07527f973b0ba6e7af4dc847
SHA256 bd543d5dc2270a593fe9479436a216048fdeba927b225ec2c935894b813988f9
SHA512 5974e272c74d90b59d5877b80304af67e517bc6c7cb8d463efe51f4fefe5404412edf7f5758541ab70177e9457820ca9b949aac95748d355f8e7c3d042c85542

C:\Users\Admin\Saved Games\backgroundTaskHost.exe

MD5 f3bec4a9dc206c16eeb03e7cf951475c
SHA1 095c9704f7f0650bc34f698e5eab741595074c3f
SHA256 a184cdaf370f6c69babc476fce067680ccf32bea28193ed91a3331f253055ec2
SHA512 f35d17dcf7c9b62cbfe8ad53514a0b5ae71d635b03a8e2e056451a1eefe05d927831c5c7d91c7af3be5f67afe76978f9cd3da6e7c13342535739b170e7ad7591

memory/852-308-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp

memory/3448-309-0x00000000009A0000-0x0000000000BAC000-memory.dmp

memory/3448-310-0x000000001B710000-0x000000001B766000-memory.dmp