Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 14:32

General

  • Target

    d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    d67c083b7f55c40deae2ac79549d0a70

  • SHA1

    c47be45497fe044d732a847a21b7b2be0172c8c5

  • SHA256

    ba381b7847ed129aa068cee625f78d7a8ec511a55d55feb86e22159ab43b6357

  • SHA512

    2fb0a24efd4e6349cc1f0f4193ac1b512dcb679478b65f51fb967b6c736192eb0e161e7020756e4a9ce03f89aae7789bac5ce57c0968ee60b095a25654511d6d

  • SSDEEP

    49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2360
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3yp8Lh1nvX.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2772
        • C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe
          "C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1564
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9134db37-908c-4b12-8154-6872eb89f89b.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1256
            • C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe
              "C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1464
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ef3bd7f-27d8-4e40-a9ea-25b2948042f2.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2960
                • C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe
                  "C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2964
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9814e38-6d80-41d9-9906-d36b3bb5075a.vbs"
                    8⤵
                      PID:2368
                      • C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe
                        "C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:356
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\714850e1-a388-4ed6-87ee-c07bc82a70f1.vbs"
                          10⤵
                            PID:2416
                            • C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe
                              "C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1568
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6531ce0e-8e9c-42ec-af19-042b51cdd3c8.vbs"
                                12⤵
                                  PID:1956
                                  • C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe
                                    "C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2424
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6eba3c7-eaa4-48fb-b106-55e8c1e08021.vbs"
                                      14⤵
                                        PID:1680
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac8e8718-061d-43e2-902f-e6527e055f53.vbs"
                                        14⤵
                                          PID:1672
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b2e935-933f-4737-a8f7-7e5f68b9f9c4.vbs"
                                      12⤵
                                        PID:2372
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e267d95c-20ad-4ce0-a1a7-b5fbb846c075.vbs"
                                    10⤵
                                      PID:2616
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c816ef90-c2c0-4528-a898-094a42074b6b.vbs"
                                  8⤵
                                    PID:1364
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6a85ec2-deac-4ec4-8695-07e27c00e29e.vbs"
                                6⤵
                                  PID:2760
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58c75df5-17af-4ea8-a9ca-29efd4cbb70e.vbs"
                              4⤵
                                PID:828
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2396
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2432
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2952
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2572
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2012
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2716
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "d67c083b7f55c40deae2ac79549d0a70_NeikiAnalyticsd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2692
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Default User\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2488
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "d67c083b7f55c40deae2ac79549d0a70_NeikiAnalyticsd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2772
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\spoolsv.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2820
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1604
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1752
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1240
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2388
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2032
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\dwm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1964
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Logs\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2584
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2732
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:816
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2948
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2976
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2972
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2936
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2192

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\MSOCache\All Users\audiodg.exe

                          Filesize

                          3.2MB

                          MD5

                          a9382b0e5528f538177a02ac9485e0f4

                          SHA1

                          cf257b4b581a1ae426d8ec96f2f18b963909a34c

                          SHA256

                          e1bf9aa08427c45662b6551d255a7e9bbb9298703f0f6df816605ebfbd7b862e

                          SHA512

                          e823d0a7b2b44fe45ebdc02504966b718e1d0dad6e2b1942bc471ab01f63c5cc70039a5d336b2d36b4f3846f75983c2d3f50016f76e31c288e0315a28610160f

                        • C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe

                          Filesize

                          3.2MB

                          MD5

                          3a33e5a04cd8b8c8307752388207dc1a

                          SHA1

                          fb57277e38b57f85af77a31200de26063d7df85f

                          SHA256

                          953cf28191b60da96eb3e87d8408aaa7c01c6223c08e0adad7671f4f27e695c4

                          SHA512

                          dcf381697fb724671122a58bbbe7def5ac6902c724570cd8ffe228749d4ad0b4d0356b91722f7586d0dfd7b8a7940619e2a53a5354c8bf810771a8e8454c0ffd

                        • C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe

                          Filesize

                          3.2MB

                          MD5

                          d67c083b7f55c40deae2ac79549d0a70

                          SHA1

                          c47be45497fe044d732a847a21b7b2be0172c8c5

                          SHA256

                          ba381b7847ed129aa068cee625f78d7a8ec511a55d55feb86e22159ab43b6357

                          SHA512

                          2fb0a24efd4e6349cc1f0f4193ac1b512dcb679478b65f51fb967b6c736192eb0e161e7020756e4a9ce03f89aae7789bac5ce57c0968ee60b095a25654511d6d

                        • C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe

                          Filesize

                          3.2MB

                          MD5

                          c2e6edfcd164140d119c34b8d87846e7

                          SHA1

                          e5ba0d0054ce6ed33380d1725494e0165fb054ed

                          SHA256

                          8085200e428b8bb216943bf5a1cf9be4227616ba36559eadf695ee562f4347c7

                          SHA512

                          da571d98d4ada33bff0f576255071742bdb4e560274342683edb9fdb0a55d786799c3edcc4a4764942c0031fe36cc6eeceef33ea112db67b020d8fae549c6bd6

                        • C:\Users\Admin\AppData\Local\Temp\2ef3bd7f-27d8-4e40-a9ea-25b2948042f2.vbs

                          Filesize

                          721B

                          MD5

                          2ba016bd7f779a60a1cf08aeb927c521

                          SHA1

                          8f1fa1df85ea1c3021ffabe37a72751f088bc5fa

                          SHA256

                          2a7187d2856eb5fa697eb040bb130c69b4a562e52a09a9654520e16baa04a9cc

                          SHA512

                          cd145fe7146da2dd24b2c3aa2243981f2d8caae27165c0b4b499cc1d74add3f55036535514a134a2c468f35655ce755e3eac5b1f5df0c97a709b82b82e79693c

                        • C:\Users\Admin\AppData\Local\Temp\3yp8Lh1nvX.bat

                          Filesize

                          210B

                          MD5

                          d98553e5cad699375e6f5609503766ea

                          SHA1

                          48f1207aae37d2b57cfb45744946b033fcec28a0

                          SHA256

                          0f029a31cb333eaf2154dc3f30d45046f231bb5d34028ef1ba2925350d37e2ca

                          SHA512

                          938978a305c004d146b821111abcfe2570477c4355cd46a800ee9e8d53d3652717990f8f52c120c976170fa2b639203a632e062aaa39e37dfb23875d802ac5a9

                        • C:\Users\Admin\AppData\Local\Temp\58c75df5-17af-4ea8-a9ca-29efd4cbb70e.vbs

                          Filesize

                          497B

                          MD5

                          55d194b3f7b4a49c4b52c62036e2071f

                          SHA1

                          d6985145b3e9618ab02ce8e6307dcc6e80907002

                          SHA256

                          5063cf201d635d92ab187f0ae47405607a55b099cc0ee6c162a0246f9854c337

                          SHA512

                          a0f8744a3ab4c2d3d64c4cc20d3b85fa751be415b5b742dfca02e3ce7e967168e575c43bd2f9e7bc69906478b7a9af57e32d3c1e3cd6ef54cfa4a04176c3cec3

                        • C:\Users\Admin\AppData\Local\Temp\6531ce0e-8e9c-42ec-af19-042b51cdd3c8.vbs

                          Filesize

                          721B

                          MD5

                          7fb92710702106d4902aa38dd194e831

                          SHA1

                          f52f00ab9f0c3d8f1ecdec5d08d7871f58e4104d

                          SHA256

                          c16f57af284e584ec44a41a487da675d0617b6a6609e5a14ae4f92d29c80ec09

                          SHA512

                          97086aa014a2f63c9b0d67166b7dd3d92500faeb997d72f1e4c9027bf60454c7cd3df4faa6eeb470145e4326efeb7b89c80c0604267574ac1fc8df7ce3f84d80

                        • C:\Users\Admin\AppData\Local\Temp\714850e1-a388-4ed6-87ee-c07bc82a70f1.vbs

                          Filesize

                          720B

                          MD5

                          2db7e84b39a0eff0e971a663dedc925b

                          SHA1

                          8f66d477d16dc346f1b09a4fe7aa855cfd20d0ea

                          SHA256

                          2a04bc334688368354f1b801957592fbc60ef723802fe50942c28c9a973df436

                          SHA512

                          c0285a40ad82505289ffd86c72e321de7a14345db0996942343d63c3d89ca5ec0f8e64f0721df5dc70950fbbbb9916907a10089f39bbbb6871237ba62adb48df

                        • C:\Users\Admin\AppData\Local\Temp\9134db37-908c-4b12-8154-6872eb89f89b.vbs

                          Filesize

                          721B

                          MD5

                          7dcbe23f4b0b76096638647aa5cf0767

                          SHA1

                          f221e39534e2a5e7ec5bae2325a0e331d7028a17

                          SHA256

                          6905faf0688998490a3e9eb8a0e5d9e44f437a71139c5ae8b63e341f03b4e1ee

                          SHA512

                          ba23fc15f030b381a6c57ae41b3f4880009391e4578986be1ac13c8740f66900335439635b7f0cbda6f8fc7e29105e5c4a26be9ec4e66a43c8944b24116f76b2

                        • C:\Users\Admin\AppData\Local\Temp\b9814e38-6d80-41d9-9906-d36b3bb5075a.vbs

                          Filesize

                          721B

                          MD5

                          1ff1fd826a3801df7dcf0216a07e8191

                          SHA1

                          fd8adc92eac578cb0197d19faa37b353a3497fd9

                          SHA256

                          d6bdc85b1972d4ddf0f5aaa57d006e0445abb8f1ac6781a1f2f4cec065fea43e

                          SHA512

                          eaea1a9a239d6008b411f215ee06598ecb14398c25272c221d2a1e6b7eac7a8b22526cbc7013a532bd666ca0c2cbb349b970db0f1b43508b934bc4b40202cfa7

                        • C:\Users\Admin\AppData\Local\Temp\d6eba3c7-eaa4-48fb-b106-55e8c1e08021.vbs

                          Filesize

                          721B

                          MD5

                          5210ab4f6aef9e325d8c71ccee5ed4fd

                          SHA1

                          29ca1e9f88c72114f58ded432f82b0d5c73d577d

                          SHA256

                          5537e4b3f6d6a5b1e618288a1f49aef6335ce7af78d7fe2b5b025ecd94aba5c6

                          SHA512

                          aee56b18856601cb7aa331c8da7cabf31b04af9e4e6378b21b1e7b74ac130972f9e525d662584b6304252df8577414dca7cca42c2c78f060d5630521a22164dd

                        • C:\Users\Admin\AppData\Local\Temp\f45c816abc36ba74a05acc781878969903929c42.exe

                          Filesize

                          3.2MB

                          MD5

                          eebb17b29687bc43259824ce63c5e613

                          SHA1

                          078522051bf1f3a997b6f22f182080703decee4d

                          SHA256

                          bb8a31d97262f91161a5bfc00285daf29da15ea036c6ba82508ebc7319fdd0b1

                          SHA512

                          3204df660da0ec97c43c114f98fab70bb339ccef345fbef434606404cad37851e9615847a659ad904463b2b547e6d612e25b0121633b8d128e73bc09fae9abfe

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                          Filesize

                          7KB

                          MD5

                          0c593b918755e4b8a6cfcab58f085055

                          SHA1

                          6ebae35451c5dd70d39ab2acc69aa3eb1bb646c3

                          SHA256

                          f9cfc437ca8b28fa7ca4814a1a355f23c3f61d9fc72ceb9170e4c15fbc504c66

                          SHA512

                          a8db93afea73a749155cef28e14cea256b62078d0e2af576f69ccbe354c0fb8b87d7ac8243b41179c65b656117440fcd2a344106c0dd59107c912f2b6a5d540b

                        • C:\Users\Default\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe

                          Filesize

                          3.2MB

                          MD5

                          89ff31d6a931341d5a995367563b009c

                          SHA1

                          5ce3cc6ed6d60539df9a8f3a0a4fdc1caedc3c37

                          SHA256

                          32c54d19bd25400ce79156134decf0fb9f8b60af4348b9c51d2191d0e24fc5f4

                          SHA512

                          324de36b3d825752cb0be531e06c50ef5546eacca055709a97901abb1b723901f4d9ada8edfd7306aefcdf337b93ae8a7d5a4662820ac145fe36f8750a0b69fc

                        • C:\Windows\Logs\dwm.exe

                          Filesize

                          3.2MB

                          MD5

                          f51362637a046fb59a57a28a7429ce7f

                          SHA1

                          86f4b73d317aca098c5562b2d64774effffb3154

                          SHA256

                          81a54ea1e6061a553c5faae1bd832d1b73b6ecc5e99f560a07d5acbf3eb7f16f

                          SHA512

                          46d63189f2ea296d39b4b957d6562c0937a3e4ca0177af927dc2a336c7901a827ab9b80a03e9c2711e3a0cf6beca3c9e6920ae2701fe3b3c83a82f06fc102536

                        • memory/356-251-0x0000000000680000-0x00000000006D6000-memory.dmp

                          Filesize

                          344KB

                        • memory/1464-227-0x0000000000F90000-0x00000000012CC000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1564-215-0x00000000009F0000-0x0000000000D2C000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1564-216-0x0000000002270000-0x00000000022C6000-memory.dmp

                          Filesize

                          344KB

                        • memory/1904-183-0x000000001B530000-0x000000001B812000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/2052-190-0x0000000002240000-0x0000000002248000-memory.dmp

                          Filesize

                          32KB

                        • memory/2356-14-0x0000000000D70000-0x0000000000D7C000-memory.dmp

                          Filesize

                          48KB

                        • memory/2356-201-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/2356-25-0x0000000001330000-0x000000000133E000-memory.dmp

                          Filesize

                          56KB

                        • memory/2356-24-0x0000000001320000-0x000000000132A000-memory.dmp

                          Filesize

                          40KB

                        • memory/2356-26-0x0000000001350000-0x0000000001358000-memory.dmp

                          Filesize

                          32KB

                        • memory/2356-27-0x0000000001360000-0x000000000136E000-memory.dmp

                          Filesize

                          56KB

                        • memory/2356-28-0x0000000001370000-0x000000000137C000-memory.dmp

                          Filesize

                          48KB

                        • memory/2356-29-0x0000000001380000-0x0000000001388000-memory.dmp

                          Filesize

                          32KB

                        • memory/2356-30-0x0000000001390000-0x000000000139A000-memory.dmp

                          Filesize

                          40KB

                        • memory/2356-31-0x00000000013A0000-0x00000000013AC000-memory.dmp

                          Filesize

                          48KB

                        • memory/2356-33-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/2356-22-0x0000000001310000-0x000000000131C000-memory.dmp

                          Filesize

                          48KB

                        • memory/2356-21-0x0000000000E80000-0x0000000000E8C000-memory.dmp

                          Filesize

                          48KB

                        • memory/2356-20-0x0000000000E70000-0x0000000000E7C000-memory.dmp

                          Filesize

                          48KB

                        • memory/2356-19-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

                          Filesize

                          48KB

                        • memory/2356-18-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

                          Filesize

                          72KB

                        • memory/2356-17-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

                          Filesize

                          32KB

                        • memory/2356-23-0x0000000001340000-0x0000000001348000-memory.dmp

                          Filesize

                          32KB

                        • memory/2356-16-0x0000000000D90000-0x0000000000D9C000-memory.dmp

                          Filesize

                          48KB

                        • memory/2356-15-0x0000000000D80000-0x0000000000D88000-memory.dmp

                          Filesize

                          32KB

                        • memory/2356-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

                          Filesize

                          4KB

                        • memory/2356-13-0x0000000000D20000-0x0000000000D76000-memory.dmp

                          Filesize

                          344KB

                        • memory/2356-12-0x0000000000B70000-0x0000000000B7A000-memory.dmp

                          Filesize

                          40KB

                        • memory/2356-11-0x0000000000D10000-0x0000000000D20000-memory.dmp

                          Filesize

                          64KB

                        • memory/2356-10-0x0000000000B60000-0x0000000000B68000-memory.dmp

                          Filesize

                          32KB

                        • memory/2356-9-0x0000000000B40000-0x0000000000B56000-memory.dmp

                          Filesize

                          88KB

                        • memory/2356-8-0x0000000000B30000-0x0000000000B40000-memory.dmp

                          Filesize

                          64KB

                        • memory/2356-7-0x0000000000B20000-0x0000000000B28000-memory.dmp

                          Filesize

                          32KB

                        • memory/2356-1-0x00000000013C0000-0x00000000016FC000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/2356-6-0x0000000000B00000-0x0000000000B1C000-memory.dmp

                          Filesize

                          112KB

                        • memory/2356-5-0x0000000000650000-0x0000000000658000-memory.dmp

                          Filesize

                          32KB

                        • memory/2356-4-0x0000000000640000-0x000000000064E000-memory.dmp

                          Filesize

                          56KB

                        • memory/2356-3-0x0000000000630000-0x000000000063E000-memory.dmp

                          Filesize

                          56KB

                        • memory/2356-2-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/2964-239-0x0000000000C00000-0x0000000000C12000-memory.dmp

                          Filesize

                          72KB